Skip to content
You can now search across every topic, entity and event.What's new
APT28
OrganisationRU

APT28

Russian GRU military intelligence cyber unit; attributed with DNS-hijacking home routers to steal Microsoft 365 credentials.

Last refreshed: 14 July 2026 · Appears in 1 active topic

Key Question

Two Russian agencies now hijack routers by different methods; coordinated, or parallel operations?

Timeline for APT28

#109 Jul

NCSC names FSB Centre 16 over routers

Cybersecurity: Threats and Defences
#223 Apr
#223 Apr

Sixteen agencies put IOC extinction in print

Cybersecurity: Threats and Defences
#17 Apr
#131 Mar

Targeted messaging app accounts of high-risk individuals using contact impersonation techniques

Cybersecurity: Threats and Defences: Signal, WhatsApp hit by three states
View full timeline →
Common Questions
What is APT28 and which country is it from?
APT28, also called Fancy Bear or Forest Blizzard, is a Russian state-sponsored hacking group attributed by Western intelligence agencies to GRU Unit 26165, Russia's military intelligence service.Source: NCSC / US Intelligence Community
How did APT28 hijack home routers to steal Microsoft passwords?
APT28 exploited CVE-2023-50224 in TP-Link WR841N routers and similar SOHO devices to modify DNS settings, redirecting only Microsoft 365 login domains to attacker-controlled servers while leaving all other traffic normal.Source: NCSC Advisory PSA260407, April 2026
Is my home router safe from APT28?
NCSC and FBI recommend: update router firmware, change default credentials, disable remote management, and use DNS-over-HTTPS or a trusted encrypted resolver for authentication traffic. TP-Link WR841N and MikroTik devices are specifically named in the April 2026 advisory.Source: NCSC / FBI PSA260407

Background

APT28 (also tracked as Fancy Bear, Forest Blizzard, STRONTIUM, Sofacy and Pawn Storm) is the activity cluster that NCSC, CISA and the US Intelligence Community assess with high confidence as run by GRU Unit 26165, the 85th Main Special Service Centre of Russia's military intelligence directorate. The cluster and the unit are tracked as related but distinct entities: APT28 is the observed tradecraft, GRU Unit 26165 is the organisation behind it.

Active since at least 2008, APT28 specialises in credential theft, spear-phishing and the exploitation of edge devices and VPN appliances in service of intelligence collection rather than disruptive attacks. Its record includes the 2016 US election interference campaign (DNC and Podesta email exfiltration), the 2017 Macron campaign hack, the 2018 World Anti-Doping Agency compromise, the 2022 intrusions into Ukrainian government networks and the 2024 targeting of the German Bundestag.

In April 2026 NCSC published an attribution-backed advisory stating APT28 had, since 2024, compromised TP-Link WR841N and other SOHO routers via CVE-2023-50224 to hijack DNS resolution for Microsoft 365 endpoints, harvesting Outlook credentials and OAuth tokens through adversary-in-the-middle attacks. That same week NCSC co-authored a 16-agency joint advisory naming Salt Typhoon, Volt Typhoon and other Chinese actors alongside APT28-linked techniques, consolidating multi-lateral attribution as a recurring NCSC posture.

On 9 July 2026 NCSC and 18 partner agencies published a further advisory attributing a separate SNMP-based router-hijacking campaign to Russia's FSB Centre 16, explicitly distinguishing it from APT28's earlier DNS campaign. The contrast is instructive: both campaigns target network-edge hardware, but APT28 operates under GRU military intelligence and hijacked DNS to harvest cloud credentials, while FSB Centre 16 operates under Russia's domestic security service and manipulated SNMP for router-level access, evidence that Russia runs parallel, service-siloed edge-device operations rather than one unified campaign.

More questions
What is the difference between APT28 and FSB Star Blizzard?
APT28/GRU Unit 26165 operates under Russia's military intelligence (GRU) and focuses on credential theft and election interference. FSB Star Blizzard operates under Russia's domestic security service (FSB) and focuses on targeting civil society, journalists and politicians via messaging apps.Source: NCSC / CISA
What is the 16-agency advisory and what did it say about APT28?
A 16-nation joint advisory published in late April 2026 named APT28-linked techniques alongside Salt Typhoon and Volt Typhoon, formalising multi-lateral attribution and publishing indicators of compromise to accelerate network defence across allied governments.Source: NCSC / allied agencies joint advisory April 2026
What is the difference between APT28 and FSB Centre 16?
APT28 is run by GRU Unit 26165, Russia's military intelligence, and hijacked DNS on SOHO routers to steal Microsoft 365 credentials. FSB Centre 16, named in a 9 July 2026 advisory, is run by Russia's domestic security service and used SNMP router hijacking; NCSC and 18 partner agencies treat them as separate operations.Source: NCSC 18-agency advisory, 9 July 2026
Is APT28 part of the FSB or the GRU?
APT28 is attributed to GRU Unit 26165, Russia's military intelligence service, not the FSB. Analysts distinguish it from FSB-run clusters such as FSB Centre 16 and FSB Star Blizzard, which use different tradecraft and targets.Source: NCSC / CISA
Why did NCSC name a second Russian agency for hacking routers in July 2026?
NCSC and 18 partner agencies attributed a distinct SNMP-based router-hijacking campaign to FSB Centre 16 on 9 July 2026, months after attributing a separate DNS-hijacking campaign to APT28/GRU Unit 26165, showing Russia runs parallel edge-device operations across different intelligence services.Source: NCSC 18-agency advisory