APT28 DNS Hijacking Operations: What Happened?
APT28 DNS hijacking is a sophisticated cyber threat that has recently been highlighted by the UK National Cyber Security Centre (NCSC). Within the first half of 2024, Russian-linked threat actor APT28 exploited vulnerable routers to hijack DNS settings. This attack technique enables adversary-in-the-middle operations, allowing the attacker to redirect network traffic through malicious DNS servers and steal credentials from targeted organisations.
Understanding DNS and DNS Hijacking
The Domain Name System (DNS) is a fundamental protocol that translates human-friendly domain names into IP addresses. DNS hijacking occurs when threat actors manipulate DNS records or settings to redirect users to malicious websites, enabling phishing or theft of sensitive login information.
- DNS protocol resolves domain names to IP addresses
- DNS hijacking manipulates DNS responses to redirect clients
- Attackers can host phishing pages or steal authentication credentials
APT28’s Exploitation Methods
APT28, also known as Fancy Bear or Forest Blizzard, is a Russian state-sponsored group well-known for targeting Western organisations. In this campaign, APT28 exploited routers by overwriting DHCP/DNS settings. Compromised routers then propagated attacker-controlled DNS server addresses to downstream devices, including laptops and phones. The attackers filtered DNS traffic to identify users of intelligence interest, harvesting passwords, OAuth tokens and other authentication credentials from web and email services.
Why APT28 DNS Hijacking Matters for Organisations
Risks of Adversary-in-the-Middle Attacks
APT28 DNS hijacking enables adversary-in-the-middle (AitM) attacks. This means network traffic, including sensitive login details, passes through attacker-controlled infrastructure. The risk is not limited to credential theft; it can also lead to data manipulation and further compromise of organisational systems.
- Credential theft (passwords, tokens)
- Data manipulation and potential sabotage
- Broader compromise through lateral movement
Scope and Opportunistic Nature
NCSC reports that APT28’s operations have targeted a wide pool of organisations, including small office and home office (SOHO) environments. The campaign is opportunistic: attackers compromise many devices, then focus on those yielding valuable intelligence, such as government or corporate credentials.
Potential Impact on Business Operations
Successful DNS hijacking can lead to:
- Disruption of email and web services
- Loss of sensitive data or intellectual property
- Damage to reputation and trust
- Regulatory consequences for data breaches
How Organisations Should Respond to DNS Hijacking Threats
Mitigating Router Vulnerabilities
Routers are a crucial security boundary. APT28 exploited publicly known vulnerabilities, so regular patching and firmware updates are essential. Organisations should review their inventory to identify and secure all network devices, especially SOHO routers.
- Apply security patches and firmware updates promptly
- Replace unsupported or end-of-life routers
- Disable remote management interfaces where possible
Securing DNS Infrastructure
Organisations should monitor DNS settings and traffic for signs of compromise. Implementing secure DNS protocols, such as DNSSEC or encrypted DNS (DoH/DoT), can help reduce risk. Restrict changes to DHCP/DNS settings and require authentication for administrative access.
- Monitor DNS server addresses configured on devices
- Regularly audit router and firewall logs
- Use trusted DNS resolvers and enable DNSSEC
Credential Protection and Incident Response
Credential theft is a primary goal of DNS hijacking. Organisations should enforce strong authentication, such as multi-factor authentication (MFA), and educate staff about phishing risks. If compromise is suspected, reset affected credentials immediately and review access logs for unusual activity.
- Adopt MFA for critical accounts
- Educate staff on phishing and adversary-in-the-middle risks
- Prepare and test incident response plans for credential compromise
Key Actions and Ongoing Vigilance
Summary Checklist for Protection
- Patch and update all routers
- Audit and lock down DNS settings
- Monitor for suspicious DNS traffic
- Enforce MFA across all services
- Educate employees about DNS hijacking
Collaboration and Reporting
Sharing threat intelligence and reporting incidents to authorities such as the NCSC can help strengthen collective defences. Cybersecurity is a shared responsibility: proactive communication between IT, security and executive teams is vital for timely response.
In summary, APT28 DNS hijacking is a clear reminder of the importance of network device security and DNS monitoring. By adopting robust practices, organisations can reduce risk and protect sensitive data from adversary-in-the-middle threats.
Originally reported by National Cyber Security Centre.
