April 2026

Russia Is Hijacking Your Router's DNS. Here's What That Actually Means.

The NCSC has published an advisory attributing a DNS hijacking campaign to APT28, the GRU's Unit 26165. The technique is simple: compromise a router, change its DNS settings, and every device on that network starts resolving domains through servers the attacker controls. From there, it is a short step to intercepting login credentials, OAuth tokens, and email access.

The advisory names the TP-Link WR841N as one exploited model, using CVE-2023-50224. But the pattern applies to any router with exposed management interfaces and unpatched firmware. This campaign has been running since 2024.

Why Routers?

Most security spending goes on endpoints and cloud. Routers sit in between, running firmware nobody patches, with management interfaces left open on default credentials. They are the device your security stack cannot see.

APT28 understood this. Compromise the router and you control DNS resolution for every device behind it. Your laptop, your phone, your IoT devices all trust the router to tell them where outlook.office365.com is. If the router lies, they follow.

The attack chain:

1. Compromise the router by exploiting a known vulnerability or using default credentials
2. Overwrite DHCP/DNS settings so devices are told to use an attacker-controlled DNS server
3. Intercept traffic as malicious DNS resolutions redirect web and email requests through attacker infrastructure
4. Harvest credentials as passwords, OAuth tokens, and session cookies cross the wire

Step 2 is the one that matters. It is silent. No malware lands on any endpoint. No antivirus triggers. The router just starts lying about where the internet is, and everything downstream believes it.

What Makes This Hard to Detect

The reason this attack works so well against SMEs is that nobody is watching the router.

Enterprise SOCs monitor DNS traffic. They have SIEM rules for unexpected DNS server changes. They baseline their DHCP configuration. Most small and medium businesses do none of this. The router is configured once, maybe by an ISP engineer, and then forgotten.

If APT28 changes your DNS settings at 3am, you will not know until someone notices that login pages look slightly different, or until credentials start being used from unexpected locations. By then, the damage is done.

The NCSC's guidance covers the basics: protect management interfaces, keep firmware updated, deploy multi-factor authentication. All correct. But it addresses prevention, not detection. If your router has already been compromised, how would you know?

The Device Gap

This attack sits in a gap. Your endpoint agent cannot see that the router's DNS settings have changed. Your annual penetration test will not catch a configuration change that happened last Tuesday. There is a space between endpoint security and perimeter assessment where nothing is watching.

Network monitoring fills that space. Not cloud-based monitoring that watches traffic at the edge, but something physically on the local network that can see what the router is actually doing. Something that baselines your gateway's MAC address, tracks your DNS configuration over time, and alerts when the router starts behaving differently.

The Untrusted Network Problem

The APT28 campaign targeted organisation routers, but the same technique applies to any network you connect to. Hotel WiFi. Conference networks. Co-working spaces. Client sites. If someone controls the DNS, they control where your traffic goes.

VPN solves part of this. Once the tunnel is up, DNS queries go through it. But before the VPN connects, your device uses whatever DNS the local network provides. Captive portals force you onto the local network before any tunnel can be established. That window is enough.

Physical network isolation closes the gap: connect through a dedicated device that establishes a secure tunnel before your laptop ever touches the untrusted network. Your device never directly participates on the hostile network. The DNS hijacking happens on the other side of hardware you control.

What to Do Now

This week:

• Log into your router and check your DNS settings. If they point somewhere you do not recognise, you may have a problem. Your ISP can tell you what they should be
• Update your router firmware. Check your router manufacturer's website directly, not auto-update prompts that appear in the browser
• Change default admin credentials. If your router password is still "admin" or printed on a sticker, change it today
• Disable remote management unless you specifically need it

This quarter:

• Audit every router and access point in your environment. Remote offices, home workers, branch sites. Each one is an edge device that APT28's playbook targets
• Consider whether you have any visibility into DNS configuration changes on your network. If the answer is "we would not know," that is the gap to close
• For remote and mobile workers: evaluate whether your VPN configuration actually protects against DNS hijacking during the connection bootstrapping phase

Longer term:

• Network monitoring that baselines router behaviour and alerts on deviation is the detection layer most SMEs are missing. It does not need to be expensive or complex. A device on the network that watches the gateway and DNS configuration continuously
• Encrypted DNS (DoH/DoT) prevents DNS interception in transit, but does not help if the router itself is compromised and pointing at an attacker's DNS server. You need both

The Pattern

APT28 did not invent DNS hijacking. What is notable is that a nation-state actor chose this technique against production targets because it works, it is quiet, and the detection gap is real.

The NCSC's own assessment of AI-enabled cyber threats makes the same point from the other direction: current AI-powered attack activity "tends to generate noticeable security alerts and is relatively easy to detect" and "would likely be identified and disrupted before [achieving serious progress], but only in environments with effective monitoring and the ability to respond." That last clause is the one that matters. The attacks are detectable. The question is whether you are detecting.

If Russian military intelligence considers your router worth compromising, it is worth monitoring.

ThreatControl helps organisations close the device gap. Our network monitoring identifies DNS configuration changes and router anomalies that endpoint security misses. Our Fractional CTO service provides practical router hardening guidance for SMEs, and our Security Suite assesses your perimeter configuration. Get in touch.

← Back to blog