APT28 Hijacks Vulnerable Routers for DNS Hijacking, Threatening Global Internet Traffic
What Happened – Russian state‑linked threat group APT28 (Fancy Bear) has been observed compromising widely‑deployed edge routers. By exploiting unpatched firmware and default management credentials, the actors install malicious DNS‑hijack modules that silently reroute user traffic to attacker‑controlled servers, enabling credential harvesting.
Why It Matters for TPRM –
- Compromised routers become a supply‑chain foothold that can affect any downstream vendor or customer.
- DNS hijacking can expose login credentials for SaaS, cloud, and on‑premise services, amplifying third‑party risk.
- The attack vector exploits common misconfigurations, highlighting the need for rigorous vendor device‑hardening policies.
Who Is Affected – Telecommunications carriers, cloud service providers, SaaS vendors, large enterprises across all verticals that rely on commercial off‑the‑shelf routers.
Recommended Actions –
- Verify that all third‑party network devices are patched to the latest firmware.
- Enforce strong, unique passwords and multi‑factor authentication on router management interfaces.
- Conduct a supply‑chain risk review of any vendor that provides or manages edge networking equipment.
Technical Notes – The actors leveraged known firmware vulnerabilities (e.g., CVE‑2025‑XXXX) and default credentials to gain root access, then deployed DNS‑hijack payloads that modify resolver settings. Harvested data includes usernames, passwords, and OAuth tokens from webmail and SaaS portals. Source: NCSC Advisory – UK exposes Russian military intelligence hijacking vulnerable routers for cyber attacks