APT28
Russian GRU military intelligence cyber unit; attributed with DNS-hijacking home routers to steal Microsoft 365 credentials.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How is GRU using home routers to steal Microsoft 365 logins from remote workers?
Timeline for APT28
Exploited SOHO routers to hijack DNS and harvest Microsoft 365 OAuth tokens via adversary-in-the-middle attacks since 2024
Cybersecurity: Threats and Defences: GRU hijacks home routers for M365 loginsTargeted messaging app accounts of high-risk individuals using contact impersonation techniques
Cybersecurity: Threats and Defences: Signal, WhatsApp hit by three states- What is APT28 and which country is it from?
- APT28, also called Fancy Bear or Forest Blizzard, is a Russian state-sponsored hacking group attributed by Western intelligence agencies to GRU Unit 26165, Russia's military intelligence service.Source: NCSC / US Intelligence Community
- How did APT28 hijack home routers to steal Microsoft passwords?
- APT28 exploited CVE-2023-50224 in TP-Link WR841N routers and similar SOHO devices to modify DNS settings, redirecting only Microsoft 365 login domains to attacker-controlled servers while leaving all other traffic normal.Source: NCSC Advisory PSA260407, April 2026
- Is my home router safe from APT28?
- NCSC and FBI recommend: update router firmware, change default credentials, disable remote management, and use DNS-over-HTTPS or a trusted encrypted resolver for authentication traffic. TP-Link WR841N and MikroTik devices are specifically named in the April 2026 advisory.Source: NCSC / FBI PSA260407
- What is the difference between APT28 and FSB Star Blizzard?
- APT28/GRU Unit 26165 operates under Russia's military intelligence (GRU) and focuses on credential theft and election interference. FSB Star Blizzard operates under Russia's domestic security service (FSB) and focuses on targeting civil society, journalists and politicians via messaging apps.Source: NCSC / CISA
Background
APT28 (also tracked as Fancy Bear, Forest Blizzard and STRONTIUM) is assessed by NCSC, CISA and the US Intelligence Community with high confidence as operating under GRU Unit 26165, the 85th Main Special Service Centre of Russia's military intelligence directorate. In April 2026 NCSC published an attribution-backed advisory stating APT28 has since 2024 compromised TP-Link WR841N and multiple MikroTik SOHO routers via CVE-2023-50224 to redirect DNS resolution for Microsoft 365 endpoints, capturing Outlook credentials and OAuth tokens via adversary-in-the-middle attacks.
APT28 has been active since at least 2008. Previous Major operations include the 2016 US election interference campaign (DNC and Podesta email exfiltration), the 2017 Macron campaign hack, the 2018 World Anti-Doping Agency compromise, the 2022 Ukrainian government network intrusions and the 2024 German Bundestag targeting. The group specialises in credential theft, phishing and the exploitation of edge devices and VPN appliances, generally in service of intelligence collection rather than disruptive or destructive operations.
The April 2026 advisory marks the first time NCSC has attributed a SOHO-router DNS-hijacking campaign with this level of specificity to APT28, identifying the targeted domains (outlook.live.com, outlook.office365.com), the modified DNS configuration (`dnsmasq-2.85`, secondary DNS left legitimate), and the hardware affected. The campaign is relevant to any organisation whose staff use home broadband with default-configured TP-Link or MikroTik routers because the corporate perimeter never sees the credential interception.
