{"id":16723,"date":"2026-04-08T10:16:15","date_gmt":"2026-04-08T17:16:15","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=16723"},"modified":"2026-04-08T10:16:15","modified_gmt":"2026-04-08T17:16:15","slug":"russian-state-hackers-are-hijacking-tp-link-and-mikrotik-routers-to-steal-outlook-credentials-cybersecurity-center-warns-apt28-group-targets-dns-and-redirects-traffic-to-attacker-controlled","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/04\/08\/russian-state-hackers-are-hijacking-tp-link-and-mikrotik-routers-to-steal-outlook-credentials-cybersecurity-center-warns-apt28-group-targets-dns-and-redirects-traffic-to-attacker-controlled\/","title":{"rendered":"Russian State Hackers Are Hijacking Tp-Link and MikroTik Routers to Steal Outlook Credentials, Cybersecurity Center Warns \u2014 APT28 Group Targets DNS and Redirects Traffic to Attacker-Controlled Servers"},"content":{"rendered":"\n

This seems like a suspicious report though there could be some truth to it, as a lot of people don’t update their router firmware or properly configure them. But given the US government’s recent banning of foreign routers as a supposed security threat, this is more about backdoors into the equipment. And the lack of MikroTik specifics seems suspicious, as no other company updates and advances their router and switch firmware features as much as MikroTik, who also sells a lot of economical equipment to ISPs and enterprises without locking down features for more money if the hardware supports it, like some overpriced enterprise companies… Also, a lot of MikroTik devices like my router support opensource firmware projects too. Consequently, Sam Bent had a video<\/a> about a lot of consumer grade equipment having backdoors…<\/p>\n\n\n\n

https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/ncsc-says-russian-gru-hackers-are-hijacking-tp-link-and-mikrotik-routers<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n

By Luke James <\/p>\n\n\n\n

Traffic is being redirected through attacker-controlled servers.<\/p>\n\n\n\n

\"Outlook
(Image credit: Microsoft)<\/figcaption><\/figure>\n\n\n\n

The UK National Cyber Security<\/a> Centre (NCSC) on Tuesday published <\/a>an advisory warning that Russian state hacking group APT28 has been exploiting vulnerable small office and home office (SOHO) routers since 2024 to overwrite their DHCP and DNS settings, redirecting downstream traffic through attacker-controlled DNS servers to harvest passwords and authentication tokens for web and email services. The NCSC assesses that APT28 is “almost certainly” the Russian Main Intelligence Directorate (GRU)’s 85th Main Special Service Centre, Military Intelligence Unit 26165.<\/p>\n\n\n\n

According to the advisory, the actor has been configuring virtual private servers to act as malicious DNS resolvers, then pointing compromised SOHO routers at them by rewriting the routers’ DHCP DNS settings. Laptops, phones, and other downstream devices on the network inherit those settings automatically and begin sending lookups to the attacker-controlled infrastructure.<\/p>\n\n\n\n

Lookups for domains tied to targeted services, such as login pages, get pointed to further attacker-owned IPs that host adversary-in-the-middle infrastructure. Meanwhile, requests outside the targeting criteria are resolved to the legitimate addresses to avoid breaking the connection.Article continues below You may like<\/p>\n\n\n\n

Once a victim connects through the attacker’s infrastructure, APT28 attempts to capture passwords and OAuth or similar authentication tokens from both browser sessions and desktop applications. Targeted domains listed in the advisory include autodiscover-s.outlook.com, imap-mail.outlook.com, outlook.live.com, outlook.office.com, and outlook.office365.com.<\/p>\n\n\n\n

The TP-Link WR841N router is named by the NCSC as one of the models APT28 has been exploiting, likely using CVE-2023-50224, an unauthenticated information disclosure flaw that allows an attacker to retrieve credentials through an HTTP GET request. When the threat actor has the router\u2019s credentials, a second GET request rewrites the DHCP DNS settings, setting the primary DNS to a malicious IP and the secondary to the original primary.<\/p>\n\n\n\n

The advisory lists more than 20 additional TP-Link models targeted in the campaign, including the Archer C5 and C7, the WDR3500, WDR3600, and WDR4300, the WR1043ND, the MR3420 and MR6400 LTE routers, and several variants of the WR740N, WR840N, WR841N, WR842N, WR845N, and WR941ND. A second cluster of attacker infrastructure received DNS requests forwarded from compromised MikroTik routers as well as TP-Link gear, and was also used in interactive operations against a smaller set of MikroTik routers “often located in Ukraine” that the NCSC said were likely of intelligence value.<\/p>\n\n\n\n

The NCSC describes the campaign as opportunistic, with APT28 casting a wide net across exposed routers and then filtering the resulting victim pool for targets of intelligence interest at each stage. In terms of mitigation, the NCSC recommends the usual advice of keeping router firmware updated, never exposing management interfaces to the internet, and enabling multi-factor authentication on accounts that could be vulnerable to credential theft.<\/p>\n\n\n\n

APT28, also tracked as Fancy Bear, Forest Blizzard, and Sofacy, has previously been linked by the NCSC to the 2015 hack of the German Bundestag<\/a> and the 2018 attempted intrusion at the Organisation for the Prohibition of Chemical Weapons.<\/p>\n","protected":false},"excerpt":{"rendered":"

This seems like a suspicious report though there could be some truth to it, as a lot of people don’t update their router firmware or properly configure them. But given the US government’s recent banning of foreign routers as a supposed security threat, this is more about backdoors into the equipment. And the lack of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-16723","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=16723"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16723\/revisions"}],"predecessor-version":[{"id":16724,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16723\/revisions\/16724"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=16723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=16723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=16723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}