APT28 Hackers Hijack Routers to Steal Credentials, New Insights Revealed

What Happened

The UK’s National Cyber Security Centre (NCSC) has issued a warning regarding the Russian hacking group APT28, which has been hijacking vulnerable internet routers to redirect traffic through attacker-controlled servers, ultimately stealing credentials from targeted organizations. The advisory, published on April 7, 2026, outlines two new malicious campaigns attributed to APT28, which have been exploiting public vulnerabilities in routers since at least 2024.

Who's Affected

APT28's operations primarily target small office/home office (SOHO) routers, particularly models like the TP-Link WR841N and MikroTik routers. The NCSC has noted that these attacks are opportunistic, aiming to cast a wide net before focusing on specific victims of intelligence value.

What Data Was Exposed

The attackers modify the dynamic host configuration protocol (DHCP) DNS settings of compromised routers to include actor-owned IP addresses. This allows them to intercept traffic from downstream devices, including laptops and smartphones, capturing sensitive data such as passwords and authentication tokens. The malicious DNS servers resolve requests for domain names associated with key services, such as email applications, to actor-controlled IPs.

The Flaw

The main vulnerability exploited by APT28 is CVE-2023-50224, which allows unauthenticated attackers to gain access to sensitive information via specially crafted HTTP GET requests. This flaw enables attackers to modify router settings, replacing legitimate DNS servers with malicious ones, thereby controlling how traffic is routed.

What's at Risk

Organizations using vulnerable router models are at significant risk, especially those that have not implemented robust security measures. The NCSC emphasizes that the exploitation of widely used network devices can have serious implications for cybersecurity, particularly for organizations in sensitive sectors.

Patch Status

While specific patches for the vulnerabilities exploited by APT28 have not been detailed in the advisory, the NCSC advises organizations to ensure their routers are running the latest firmware and to apply security updates promptly.

Immediate Actions

To mitigate the risks associated with these attacks, the NCSC recommends the following actions:

• Implement browse-down architecture to limit privileged access.
• Regularly update to the latest supported versions of firmware and software.
• Deploy antivirus solutions and conduct regular malware scans.
• Use allowlisting for applications.
• Implement host-based intrusion detection systems.
• Utilize multifactor authentication (MFA) wherever possible.

Paul Chichester, NCSC Director of Operations, stated, "This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organizations and network defenders to familiarize themselves with the techniques described in the advisory and to follow the mitigation advice."