Russian APT28 Hackers Hijack Routers in Global Credential Theft Campaign

A sophisticated Russian cyber-espionage group is conducting a widespread campaign by hijacking internet routers to steal sensitive credentials from targeted organizations. This APT28 router hijack operation, detailed in a new advisory from the UK’s National Cyber Security Centre (NCSC), reveals a methodical approach to digital surveillance and data theft. Consequently, businesses and individuals using common networking equipment are at significant risk.

The Mechanics of the Router Hijack Campaign

According to the NCSC, the threat actors, identified as APT28, are exploiting vulnerabilities in small office/home office (SOHO) routers. Their goal is to redirect internet traffic through servers they control. This process, known as DNS hijacking, allows them to intercept data flowing from connected devices like laptops and smartphones. Therefore, when a user tries to access a website or service, their request is secretly routed to a malicious server where login credentials can be harvested.

Building on this, the NCSC assesses the initial phase of these operations as “opportunistic.” The hackers cast a wide net to gain visibility on a large pool of potential targets. They then filter these candidates at each stage of their attack chain, ultimately focusing on victims deemed to have high intelligence value. This means that while the initial compromise is broad, the final theft is highly selective.

First Wave: Targeting TP-Link Devices

One distinct activity cluster focuses heavily on TP-Link routers. In this campaign, the hackers modify the router’s DHCP DNS settings to include IP addresses they own. A specific model, the TP-Link WR841N, is likely being exploited using a known vulnerability (CVE-2023-50224). This flaw lets an unauthenticated attacker obtain password credentials via crafted web requests.

Once a router is compromised, every device on its network inherits the malicious DNS settings. This allows APT28 to perform adversary-in-the-middle (AitM) attacks on user sessions. The primary objective is to harvest passwords, OAuth tokens, and other credentials for web and email services. Subsequently, the stolen data can be used for malicious logins from other infrastructure not yet identified by authorities.

Second Wave: Compromising MikroTik and More

In a separate but related cluster, the NCSC observed servers receiving DNS requests from likely compromised MikroTik and TP-Link routers. This campaign involves a more complex forwarding chain, where DNS requests are sent from the initial compromised server to further remote servers controlled by the attackers.

Notably, this infrastructure was used for interactive operations against a small number of MikroTik routers, often located in Ukraine. These targets were likely chosen for their specific intelligence value to the Russian group. This indicates a strategic shift from broad scanning to precise, interactive compromise of high-value assets. For more on defending critical infrastructure, see our guide on essential network security practices.

Who is Behind the APT28 Router Hijack?

The UK government attributes the APT28 router hijack campaign “almost certainly” to Unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU). This unit is also widely known by aliases such as Fancy Bear, Forest Blizzard, and Strontium. Their history includes high-profile attacks like the 2015 cyber-attack against the German parliament and an attempted breach of the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018.

Microsoft Threat Intelligence, in a separate report, corroborates these findings. They note that APT28 and a sub-group tracked as Storm-2754 have been compromising virtual private servers (VPS) to exploit SOHO routers since at least August 2025. This confirms a sustained, long-term investment in this particular attack vector by a state-sponsored actor.

How to Defend Against Router-Based Attacks

In response to this threat, the NCSC has issued critical mitigation advice. Organizations and individuals must take proactive steps to secure their networks. First and foremost, ensure all routers are running the latest supported firmware and that security updates are applied immediately. Outdated software is the primary entry point for these exploits.

Furthermore, adopting a browse-down network architecture can prevent attackers from easily gaining privileged access to vital assets. This means segmenting your network so that a compromise in one area doesn’t grant access to everything. Additionally, deploying robust endpoint protection, including host-based intrusion detection systems (HIDS), is crucial for spotting malicious activity.

On the authentication front, using multifactor authentication (MFA) universally is one of the most effective ways to neutralize stolen credentials. Even if a password is intercepted, MFA provides a critical second layer of defense. Implementing application allowlisting can also prevent unauthorized software from running on your network. For a deeper dive into authentication security, explore our resource on implementing MFA across your organization.

The Bigger Picture of Cyber Espionage

This campaign is not an isolated incident but part of a continuous trend of state-aligned cyber operations targeting critical infrastructure and sensitive data. The use of commodity hardware like consumer routers provides attackers with a low-cost, high-impact method of establishing a foothold. This APT28 router hijack tactic is particularly insidious because it compromises the very foundation of a network’s trust—its DNS resolution.

As a result, the responsibility for security extends beyond large corporations to include small businesses and even home users who may be unwitting participants in these attack chains. Regular security scans, vigilance for unusual network behavior, and a commitment to basic cyber hygiene are no longer optional. The convergence of geopolitical conflict and cyber warfare means that digital defense is now a universal concern.

Proposed $707 Million Cut to U.S. Cybersecurity Agency Sparks Alarm

A significant CISA budget cut is on the table, with the Trump administration proposing to slash funding for the nation’s top cybersecurity agency by at least $707 million for the 2027 fiscal year. This move, detailed in a recent omnibus budget proposal, would reduce the operating budget of the Cybersecurity and Infrastructure Security Agency to approximately $2 billion, a decision that has triggered immediate concern among lawmakers and security professionals.

Rationale Behind the Proposed Cybersecurity Funding Reduction

The administration’s justification centers on a desire to refocus the agency on its “core mission.” According to the proposal, the Cybersecurity and Infrastructure Security Agency should concentrate solely on securing federal civilian networks and protecting critical infrastructure from digital attacks. The document criticizes what it labels “weaponization and waste,” and controversially alleges the agency was previously “focused on censorship.” This latter claim appears to reference CISA’s efforts to combat election-related misinformation during the 2020 presidential cycle.

Repeating a Pattern of Controversial Cuts

This is not the first attempt to significantly reduce the agency’s resources. Building on this, the administration proposed a cut of nearly $500 million last year, which represented about 17% of its federal budget at the time. Lawmakers ultimately negotiated that reduction down to approximately $135 million. Therefore, the current proposal marks a more aggressive financial pullback, suggesting a sustained policy direction.

Security Experts Warn of Dire Consequences

In contrast to the administration’s stated goals, security analysts are sounding the alarm. They argue the agency is already in a weakened state. Consequently, a cut of this magnitude could cripple its ability to respond to threats. The agency has faced a year of prior cuts, staff reductions, and layoffs, losing hundreds of experienced employees. Compounding the problem, CISA has operated without a Senate-confirmed permanent director since President Trump returned to office in 2025, creating a leadership vacuum at a critical time.

A Dangerous Proposal Amid Rising Cyber Threats

The timing of this proposed CISA budget cut is particularly troubling given the current threat landscape. Over the past year, the U.S. government has been the target of several major cyber intrusions. For instance, a suspected Russian breach compromised the U.S. Courts filing system. Simultaneously, Chinese state-linked actors have targeted multiple federal departments. In another incident, Iranian hackers leaked the personal email of then-FBI director Kash Patel. This means that the nation’s digital defenses are already under constant assault.

What Programs Are on the Chopping Block?

The budget document indicates the cuts would also eliminate programs deemed duplicative. Specifically, school safety initiatives that already exist at state and federal levels are highlighted for removal. While framed as an efficiency measure, critics worry this could fragment and weaken broader national resilience efforts that benefit from centralized coordination. For more on how federal policy shapes cyber defense, see our analysis on shifts in government cyber policy.

The Political Battle Over CISA’s Future

The debate over the agency’s role and funding is deeply politicized. Since the 2025 inauguration, the Trump administration has repeatedly made claims—widely debunked by fact-checkers and officials—that CISA engaged in censorship against the president’s perceived critics. This narrative has even targeted the agency’s inaugural director, Chris Krebs, whom Trump himself originally appointed. This political context suggests the CISA budget cut is intertwined with broader grievances beyond pure fiscal or mission-based arguments.

As a result, a fierce legislative battle is expected. Lawmakers who pushed back successfully against last year’s deeper cuts are likely to mobilize again. The central question will be whether national security concerns can outweigh political objectives in the final budget negotiations. The outcome will set a precedent for how the United States prioritizes its digital sovereignty in an increasingly hostile online world. Explore related topics in our guide to protecting critical infrastructure.

How Hackers Are Weaponizing GitHub for Stealthy Multi-Stage Attacks

Security researchers have uncovered a sophisticated GitHub malware campaign targeting users in South Korea. This operation turns the popular development platform into a covert command post, using a multi-stage infection process designed to evade traditional security measures. By blending malicious activity with legitimate network traffic, attackers have created a significant challenge for defenders.

The Evolution of a Stealthy Attack Chain

Initially detected in 2024, this threat has undergone substantial refinement. Earlier versions contained more metadata and simpler obfuscation, which allowed analysts to trace connections to previous operations. According to a recent advisory from Fortinet, the latest iterations show a clear shift toward greater stealth and operational security.

Consequently, attackers now embed decoding functions directly within LNK file arguments and store encoded payloads inside the files themselves. This move eliminates external dependencies that could be flagged. Building on this, the use of decoy PDF documents serves a dual purpose: it provides a plausible reason for the file’s existence while malicious scripts execute silently in the background, completely unbeknownst to the user.

Anatomy of the Multi-Stage Infection

The GitHub malware campaign begins with a seemingly harmless shortcut file. When executed, this LNK file contains hidden scripts that reach out to a GitHub repository to retrieve the first stage of PowerShell commands. This initial contact establishes the covert channel.

In the second stage, the downloaded PowerShell script performs a series of calculated actions to embed itself within the system. This includes checking for the presence of virtual machines or security analysis tools—a clear attempt to avoid sandbox environments. The script then decodes and stores additional payloads, creates scheduled tasks for persistence, collects detailed system information, and finally, uploads logs back to GitHub using hardcoded access tokens.

For more on how attackers maintain a foothold, read about advanced malware persistence techniques used in other campaigns.

The Role of Living-Off-the-Land Tactics

This attack exemplifies the modern shift toward “living-off-the-land” (LOTL) strategies. “Modern cyber espionage has fundamentally shifted toward a highly evasive strategy known as living-off-the-land,” noted Jason Soroko, a senior fellow at Sectigo. By using native Windows utilities like PowerShell and VBScript, and leveraging a legitimate platform like GitHub, the malware generates traffic that appears normal, blending seamlessly with everyday corporate network activity.

GitHub as a Persistent Command Hub

The final, ongoing stage of the attack reveals the core innovation of this GitHub malware campaign. The compromised system continuously polls specific GitHub repositories, waiting for new instructions or modules to download. This method provides the attackers with a flexible, low-profile command and control (C2) infrastructure that is difficult to block without impacting legitimate developer workflows.

A dedicated keep-alive script regularly uploads network configuration details, enabling the threat actors to monitor their infected machines and maintain long-term access. This persistence mechanism, often running via scheduled tasks every 30 minutes, ensures the malware remains active and responsive.

“This attack demonstrates how malicious actors can turn legitimate infrastructure into a novel attack surface,” explained Jamie Boote, a senior manager at Black Duck. “The fact that this shortcut file creates a chain that ultimately reaches out to a GitHub repository should put network defenders on alert that even productivity platforms can be attack vectors.”

Why This Attack is So Difficult to Detect

The strategic use of ubiquitous tools and platforms is what makes this campaign particularly concerning. Therefore, corporate security systems face an uphill battle. Distinguishing between a developer’s legitimate API call to GitHub and a malware beacon is a complex task. The attackers’ removal of identifying metadata in later variants further complicates forensic analysis and attribution.

This case study underscores a critical trend in cybersecurity. As a result, defenders must expand their monitoring beyond traditional malicious domains and IPs to include anomalous patterns of behavior on trusted platforms. Understanding the tools and techniques used in living-off-the-land attacks is now essential for effective defense.

Ultimately, the campaign targeting South Korea is a stark reminder. The digital tools that power productivity and innovation can, with clever manipulation, be repurposed into instruments of espionage and control. Vigilance and advanced behavioral analytics are no longer optional but a necessity in the modern threat landscape.