The National Cyber Security Centre (NCSC) – a part of GCHQ – has published a new advisory revealing how Russian cyber actors have compromised commonly used routers, allowing them to covertly reroute users’ internet traffic through malicious servers under their control.
The new advisory warns that Russian state cyber group APT28 has exploited vulnerable internet routers to enable Domain Name System (DNS) hijacking operations, giving the attackers the ability to intercept traffic and harvest login credentials, including passwords and access tokens, from personal web and email services.
DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.
The advisory also notes that the activity is likely opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack develops.
APT28 has previously been linked by the UK to Russia’s GRU 85th Main Special Service Centre (GTsSS), Military Unit 26165.
Paul Chichester, NCSC Director of Operations, said:
This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors.
We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.
The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks.
Organisations and network defenders are encouraged to follow the mitigation advice to effectively protect against DNS hijacking attacks, including protecting the management interfaces of systems, ensuring devices and software are maintained and up-to-date, and setting up two-step verification.
The NCSC has previously called out APT 28 / Unit 26165, also known in open source as Fancy Bear, Forest Blizzard, the Sednit Gang and Sofacy, for deploying a sophisticated malware dubbed AUTHENTIC ANTICS and targeting western logistics entities and technology companies.
