
APT28
Russian GRU military intelligence cyber unit; attributed with DNS-hijacking home routers to steal Microsoft 365 credentials.
Last refreshed: 14 July 2026 · Appears in 1 active topic
Two Russian agencies now hijack routers by different methods; coordinated, or parallel operations?
Timeline for APT28
NCSC names FSB Centre 16 over routers
Cybersecurity: Threats and DefencesMentioned in: Norway joins the Salt Typhoon victim list
Cybersecurity: Threats and DefencesSixteen agencies put IOC extinction in print
Cybersecurity: Threats and DefencesExploited SOHO routers to hijack DNS and harvest Microsoft 365 OAuth tokens via adversary-in-the-middle attacks since 2024
Cybersecurity: Threats and Defences: GRU hijacks home routers for M365 loginsTargeted messaging app accounts of high-risk individuals using contact impersonation techniques
Cybersecurity: Threats and Defences: Signal, WhatsApp hit by three statesWhat is APT28 and which country is it from?
How did APT28 hijack home routers to steal Microsoft passwords?
Is my home router safe from APT28?
Background
APT28 (also tracked as Fancy Bear, Forest Blizzard, STRONTIUM, Sofacy and Pawn Storm) is the activity cluster that NCSC, CISA and the US Intelligence Community assess with high confidence as run by GRU Unit 26165, the 85th Main Special Service Centre of Russia's military intelligence directorate. The cluster and the unit are tracked as related but distinct entities: APT28 is the observed tradecraft, GRU Unit 26165 is the organisation behind it.
Active since at least 2008, APT28 specialises in credential theft, spear-phishing and the exploitation of edge devices and VPN appliances in service of intelligence collection rather than disruptive attacks. Its record includes the 2016 US election interference campaign (DNC and Podesta email exfiltration), the 2017 Macron campaign hack, the 2018 World Anti-Doping Agency compromise, the 2022 intrusions into Ukrainian government networks and the 2024 targeting of the German Bundestag.
In April 2026 NCSC published an attribution-backed advisory stating APT28 had, since 2024, compromised TP-Link WR841N and other SOHO routers via CVE-2023-50224 to hijack DNS resolution for Microsoft 365 endpoints, harvesting Outlook credentials and OAuth tokens through adversary-in-the-middle attacks. That same week NCSC co-authored a 16-agency joint advisory naming Salt Typhoon, Volt Typhoon and other Chinese actors alongside APT28-linked techniques, consolidating multi-lateral attribution as a recurring NCSC posture.
On 9 July 2026 NCSC and 18 partner agencies published a further advisory attributing a separate SNMP-based router-hijacking campaign to Russia's FSB Centre 16, explicitly distinguishing it from APT28's earlier DNS campaign. The contrast is instructive: both campaigns target network-edge hardware, but APT28 operates under GRU military intelligence and hijacked DNS to harvest cloud credentials, while FSB Centre 16 operates under Russia's domestic security service and manipulated SNMP for router-level access, evidence that Russia runs parallel, service-siloed edge-device operations rather than one unified campaign.