Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
Overview
A Russian state-linked hacking group known as APT28 (also referred to as Sofacy Group, Forest Blizzard, and Fancy Bear) has been identified exploiting SOHO (Small Office/Home Office) routers to conduct global DNS hijacking campaigns.
Attack Methodology
- APT28 leverages vulnerabilities in SOHO routers to gain unauthorized access to network devices.
- Once inside the devices, attackers modify DNS configurations to perform man-in-the-middle (MitM) attacks, enabling them to intercept and manipulate network traffic.
- The attack campaign has reportedly affected over 200 enterprises globally, with DNS hijacking being a key tactic used to compromise data integrity and confidentiality.
Key Findings
The attack is part of a broader trend of state-sponsored cyber operations targeting critical infrastructure and enterprise networks. The use of SOHO routers as entry points highlights the risks associated with poorly secured consumer-grade networking equipment.
Response and Mitigation
Security experts and organizations such as Microsoft and Lumen have issued alerts and recommendations to help mitigate the threat. These include updating router firmware, enabling strong authentication, and monitoring for unusual DNS activity.