The National Cyber Security Centre, a part of GCHQ, has published a new advisory revealing how Russian cyber actors have compromised commonly used routers. This allows them to covertly reroute internet traffic through malicious servers under their control.

The Mechanics of the Attack

The new advisory warns that the Russian state cyber group APT28 has exploited vulnerable internet routers to enable Domain Name System hijacking operations. This gives the attackers the ability to intercept traffic and harvest login credentials including passwords and access tokens from personal web and email services.

The Domain Name System is what allows individuals to reach websites by typing familiar addresses instead of associated IP addresses. In a hijacking attack, actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.

Opportunistic Targeting

The advisory notes that the activity is likely opportunistic in nature. The actor casts a wide net to reach many potential victims before narrowing in on targets of intelligence interest as the attack develops. APT28 has previously been linked by the UK to the Russian GRU 85th Main Special Service Centre, also known as Military Unit 26165.

This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.

Mitigation and Defence

Organisations and network defenders are strongly encouraged to follow the mitigation advice to effectively protect against these hijacking attacks. Crucial steps include protecting the management interfaces of systems, ensuring all devices and software are properly maintained and up to date, and immediately setting up two step verification.

The UK government has previously called out this specific group for deploying sophisticated malware and targeting western logistics entities and technology companies. Authorities will continue to expose malicious cyber activity and provide practical guidance to help protect vital networks.