Cómo APT28 secuestra enrutadores para robar credenciales de Microsoft 365
Tabla de contenido
APT28, also known as Fancy Bear and tracked by Microsoft as Forest Blizzard — has been compromising SOHO routers globally to intercept Microsoft 365 credentials through DNS hijacking. A joint advisory published this week by the FBI, NSA, and 20 international partner agencies confirms the campaign is active and expanding. If your organisation relies on remote workers using unmanaged home networking equipment, your authentication traffic may already be at risk.
What is the APT28 router hijacking campaign?
APT28 is a Russian state-linked cyber espionage group attributed to the GRU’s 85th Main Special Service Center. Active since at least 2004, the group has a long record of targeting government agencies, defence contractors, and critical infrastructure across NATO member states — including confirmed intrusions against national ministries and the defence industrial base.
This campaign focuses on a deceptively simple attack path: compromising SOHO routers to manipulate DNS settings and redirect authentication traffic. Rather than targeting hardened corporate infrastructure directly, APT28 exploited Ubiquiti EdgeRouters running default factory credentials — hardware already present in the homes and small offices of the remote workers they wanted to reach.
El February 2024 joint advisory from the FBI, NSA, and US Cyber Command documented how the group used a pre-existing criminal botnet — MooBot — to gain access to hundreds of compromised EdgeRouters, before repurposing that infrastructure for credential harvesting and network proxying at scale.
How does the credential theft actually work?
DNS hijacking at the router level is particularly effective because it operates below the application layer. That means most endpoint security tools don’t see it happening.
Once APT28 modified a router’s DNS settings, every device on that network — laptops, phones, tablets — inherited the change automatically. When users attempted to log into Microsoft Outlook Web Access or Microsoft 365 services, modified DNS responses redirected those requests to attacker-controlled servers. Users saw convincing login pages with valid SSL certificates. Most had no reason to suspect anything was wrong.
The group harvested passwords, authentication tokens, and NTLMv2 digests. In some cases, APT28 uploaded custom Python scripts to compromised routers to validate stolen credentials in real time. The MITRE ATT&CK framework entry for APT28 documents the breadth of techniques the group has used across this and related campaigns, including CVE-2023-23397 exploitation to leak NTLM hashes from targeted Outlook accounts.
A critical operational detail: rebooting a compromised EdgeRouter does not remove the malware. The infection persists across restarts, meaning affected organisations need a full hardware factory reset — not a simple reboot — to remediate.
Who was targeted?
The campaign was not opportunistic. APT28 focused on government agencies, militaries, defence contractors, and technology organisations. Confirmed targeted countries include the Czech Republic, Italy, Lithuania, Poland, Ukraine, the United Arab Emirates, and the US — a list consistent with Russian foreign intelligence collection priorities.
El UK’s National Cyber Security Centre joined the advisory alongside partners from Belgium, Brazil, France, Germany, Latvia, Norway, Poland, South Korea, and others — an unusually broad coordinated response that reflects the scale and seriousness of the campaign.
The April 2026 FBI/IC3 advisory confirms the activity has continued and expanded, now also targeting TP-Link routers via CVE-2023-50224, with the GRU indiscriminately compromising a wide pool of victims before filtering down to those of specific intelligence interest.
Why SOHO routers are the weak point
The rapid shift to remote work created thousands of potential entry points through networking equipment that receives far less security oversight than corporate infrastructure. Ubiquiti EdgeRouters are widely deployed, capable devices — but they ship with default credentials set to “ubnt” on both username and password, and they rely entirely on manual firmware updates.
That combination — default credentials, no automatic patching, and a direct path to corporate authentication traffic — made them an efficient target.
Router-level DNS manipulation is particularly hard to detect because it generates no alerts within your corporate environment. There is no unusual login event, no endpoint alert, no firewall notification. It persists silently until identified through external intelligence or a deliberate DNS configuration audit.
This is not a new technique. But the scale of this campaign, the precision of its targeting, and the continued activity confirmed in the 2026 advisory make it a meaningful benchmark for how state-sponsored groups are approaching credential theft today.
What your security team should do now
The FBI advisory recommends the following actions for any organisation with potentially affected devices:
- Perform a hardware factory reset on any Ubiquiti EdgeRouter or TP-Link router used by remote workers — a reboot alone is not sufficient
- Upgrade to the latest firmware version and establish a process for ongoing firmware monitoring
- Change all default usernames and passwords across all SOHO devices in your estate
- Implement firewall rules on WAN-side interfaces to restrict remote management access
- Verify DNS server configurations across all network segments, including VPN-connected endpoints
- Review Microsoft 365 and Outlook authentication logs for unusual geographic patterns, concurrent logins, or certificate warnings that users may have dismissed
- Identify internet-exposed router management interfaces — external attack surface scanning will surface these faster than internal audits
- Force password resets on any accounts showing suspicious authentication activity
Establishing a DNS baseline is the starting point for ongoing detection. Once you know what normal looks like, deviations — unexpected IP resolution, unusual routing, certificate mismatches — become visible signals rather than background noise.
How CybelAngel can help
Campaigns like this one are exactly the kind of threat that external attack surface monitoring is built for.
CybelAngel’s Gestión de la Superficie de Ataque module continuously scans your external perimeter for exposed router management interfaces, default credential exposure, and anomalous DNS configurations — the same indicators that signal this type of campaign. Our Credential Intelligence module detects exposed credentials linked to your domains across dark web sources and underground forums, so you can identify compromised accounts before they are used for lateral movement or further exploitation.
Get in touch with our REACT team →
Preguntas frecuentes
APT28 is a cyber espionage group attributed to Russia’s GRU military intelligence agency, specifically Military Unit 26165. It is tracked under multiple names: Fancy Bear (CrowdStrike), Forest Blizzard and Strontium (Microsoft), and Sofacy (ESET). The group has been active since at least 2004.
Attackers modify the DNS server settings on a compromised router. Every device on that network then forwards DNS queries to an attacker-controlled server instead of a legitimate one, which can return malicious IP addresses and serve credential-harvesting pages even when users type the correct URL.
Any organisation with remote workers using SOHO routers with default credentials or unpatched firmware is potentially exposed. The technique targets DNS-level traffic, so any cloud authentication service, not just Microsoft 365 can be intercepted.
Standard phishing relies on users clicking a malicious link. DNS hijacking intercepts a legitimate request — users type the correct URL and are still redirected. That makes it significantly harder to detect and considerably harder to defend against without network-layer visibility.
No. The FBI advisory explicitly states that rebooting a compromised EdgeRouter will not remove the malware. A full hardware factory reset is required, followed by a firmware update and credential change.
For a broader view of how state-sponsored groups are targeting organisations in your sector get in touch with our REACT team for a tailored threat assessment
Sobre el autor
