17APR

GRU hijacks home routers for M365 logins

3 min read

13:56UTC

NCSC attributed a DNS-hijack campaign to APT28, assessed with near-certainty as GRU Unit 26165. The target was the Outlook login in the kitchen.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

The Russian playbook now treats the home router of a remote worker as a credential-harvesting surface.

The UK National Cyber Security Centre (NCSC) published an attribution-backed advisory on 7 April 2026 stating that APT28, a Russian state hacking group the UK assesses "almost certainly" to be GRU Unit 26165 (the 85th Main Special Service Centre of Russia's military intelligence agency), has since 2024 exploited small-office and home-office (SOHO) routers to hijack Domain Name System (DNS) resolution and conduct adversary-in-the-middle credential theft ¹. DNS is the internet address-book service that translates human-readable names like `outlook.live.com` into numeric server addresses; control DNS and you control which server the user actually reaches.

The targeted hardware is mundane: TP-Link WR841N (via CVE-2023-50224), WR840N, ARCHeR C7, WDR4300 and several MikroTik models. The targeted services are not. APT28 rewrote the primary DNS entry on the compromised router to a Virtual Private Server (VPS) running `dnsmasq-2.85` on UDP port 53, while the secondary DNS stayed legitimate. Only `outlook.live.com` and `outlook.office365.com`, the Microsoft 365 sign-in endpoints, resolved to the attacker-controlled server; everything else resolved normally. For a director working from home on a default-configured TP-Link, their Outlook login passed through a GRU DNS server without anything unusual appearing in their browser.

Standard corporate network monitoring sees nothing anomalous because the traffic never crosses the corporate perimeter; the interception happens upstream of the user's home router. Conventional detection cannot fix this. Architecture can. The defensive response is to treat any user's local DNS environment as untrusted for authentication traffic, which in practice means binding Microsoft 365 sign-in flows to corporate-managed DNS over HTTPS, or forcing sign-in through a trusted tunnel rather than the home ISP's resolver. The US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center issued a coordinated public-service announcement, PSA260407, alongside the NCSC advisory.

Deep Analysis

In plain English

When you type a website address into your browser, your computer asks a service called DNS (Domain Name System) to translate that address into the numerical location of the actual server. Your home router handles this translation for all devices on your home network. Russian military intelligence (specifically, the GRU, Russia's Main Intelligence Directorate) has been hacking into cheap home routers, particularly TP-Link and MikroTik models, by exploiting security flaws or default passwords. Once inside the router, they secretly redirect only Microsoft email login pages to a server they control, while everything else works normally. The victim sees nothing unusual. When a remote worker then logs into their work email from home, their login credentials go to the GRU's server instead of Microsoft's. The GRU can then use those credentials to access the person's work account. The attack targets directors, managers, and anyone with privileged work email access.

Deep Analysis

Root Causes

Remote working policy deployed at scale since 2020 has permanently expanded the enterprise network boundary to include consumer-grade home networking equipment. Enterprise Conditional Access policies assess device compliance (EDR agent, OS version, patch level) but do not assess the network path the device uses. A fully compliant corporate laptop on a compromised home router is, from Microsoft Entra ID's perspective, indistinguishable from the same laptop on a clean network.

The selective DNS rewrite technique APT28 uses exploits the fact that consumer routers expose their DNS management interface on their default admin credentials, and many users never change those credentials. CVE-2023-50224 on the TP-Link WR841N is a specific credential-extraction path; but the underlying exposure exists on any router with a default-credential admin interface reachable from the internet.

What could happen next?

Risk
Any enterprise running remote workers on unchecked consumer networking equipment has an unmonitored M365 credential-harvesting surface that conventional corporate endpoint telemetry cannot detect.
Consequence
SOHO router hardening will become a recognised enterprise security control requirement for remote-work environments, likely formalised in NCSC and NIST guidance updates in 2026 or 2027.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: APT28's 2017 operation against TV5Monde, in which the group gained access via a partner company's compromised credentials rather than direct network intrusion. The SOHO router campaign follows the same indirect-access logic: rather than attacking enterprise infrastructure directly, APT28 attacks the personal infrastructure of the people who access enterprise infrastructure, specifically the home network equipment used by privileged remote workers.

Counter-parallel: The 2022 Uber breach, in which a contractor's personal device was used to harvest Uber's VPN credentials via MFA fatigue, exposed the same structural gap from a financially motivated direction: personal-device and home-network security is outside enterprise MDM scope. Uber tightened its contractor device requirements; the structural problem is shared across enterprise security programmes.

Consensus view: RUSI's Justin Bronk and the UK's Joint Intelligence Organisation assess APT28 (GRU Unit 26165) as the Russian military intelligence unit most consistently active against NATO member civilian and government infrastructure, with the DNS hijacking campaign representing a maturation of the 'living off the land' technique the group pioneered during its DNC intrusion in 2016; the targeting of consumer-grade SOHO routers for enterprise credential harvesting is a deliberate blurring of the personal/corporate boundary.

Counter-view: Carnegie Moscow Center analysts argue that NCSC attribution advisories of this type serve a political signalling function, with the timing of the 7 April publication coordinated with diplomatic activity, and that the actual intelligence basis for specific GRU unit attribution is routinely withheld; the advisory's 'almost certainly' qualifier covers significant uncertainty about whether this is centralised GRU planning or operational unit autonomy.

Key tension: Whether enterprises can address this threat through technical controls on the corporate side (Conditional Access, device compliance posture) or whether the attack surface, which is the consumer router under a remote worker's kitchen table, is structurally outside enterprise control.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.