17APR

GRU hijacks home routers for M365 logins

3 min read

13:56UTC

NCSC attributed a DNS-hijack campaign to APT28, assessed with near-certainty as GRU Unit 26165. The target was the Outlook login in the kitchen.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

The Russian playbook now treats the home router of a remote worker as a credential-harvesting surface.

The UK National Cyber Security Centre (NCSC) published an attribution-backed advisory on 7 April 2026 stating that APT28, a Russian state hacking group the UK assesses "almost certainly" to be GRU Unit 26165 (the 85th Main Special Service Centre of Russia's military intelligence agency), has since 2024 exploited small-office and home-office (SOHO) routers to hijack Domain Name System (DNS) resolution and conduct adversary-in-the-middle credential theft ¹. DNS is the internet address-book service that translates human-readable names like `outlook.live.com` into numeric server addresses; control DNS and you control which server the user actually reaches.

The targeted hardware is mundane: TP-Link WR841N (via CVE-2023-50224), WR840N, ARCHeR C7, WDR4300 and several MikroTik models. The targeted services are not. APT28 rewrote the primary DNS entry on the compromised router to a Virtual Private Server (VPS) running `dnsmasq-2.85` on UDP port 53, while the secondary DNS stayed legitimate. Only `outlook.live.com` and `outlook.office365.com`, the Microsoft 365 sign-in endpoints, resolved to the attacker-controlled server; everything else resolved normally. For a director working from home on a default-configured TP-Link, their Outlook login passed through a GRU DNS server without anything unusual appearing in their browser.

Standard corporate network monitoring sees nothing anomalous because the traffic never crosses the corporate perimeter; the interception happens upstream of the user's home router. Conventional detection cannot fix this. Architecture can. The defensive response is to treat any user's local DNS environment as untrusted for authentication traffic, which in practice means binding Microsoft 365 sign-in flows to corporate-managed DNS over HTTPS, or forcing sign-in through a trusted tunnel rather than the home ISP's resolver. The US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center issued a coordinated public-service announcement, PSA260407, alongside the NCSC advisory.

Deep Analysis

In plain English

When you type a website address into your browser, your computer asks a service called DNS (Domain Name System) to translate that address into the numerical location of the actual server. Your home router handles this translation for all devices on your home network. Russian military intelligence (specifically, the GRU, Russia's Main Intelligence Directorate) has been hacking into cheap home routers, particularly TP-Link and MikroTik models, by exploiting security flaws or default passwords. Once inside the router, they secretly redirect only Microsoft email login pages to a server they control, while everything else works normally. The victim sees nothing unusual. When a remote worker then logs into their work email from home, their login credentials go to the GRU's server instead of Microsoft's. The GRU can then use those credentials to access the person's work account. The attack targets directors, managers, and anyone with privileged work email access.

Deep Analysis

Root Causes

Remote working policy deployed at scale since 2020 has permanently expanded the enterprise network boundary to include consumer-grade home networking equipment. Enterprise Conditional Access policies assess device compliance (EDR agent, OS version, patch level) but do not assess the network path the device uses. A fully compliant corporate laptop on a compromised home router is, from Microsoft Entra ID's perspective, indistinguishable from the same laptop on a clean network.

The selective DNS rewrite technique APT28 uses exploits the fact that consumer routers expose their DNS management interface on their default admin credentials, and many users never change those credentials. CVE-2023-50224 on the TP-Link WR841N is a specific credential-extraction path; but the underlying exposure exists on any router with a default-credential admin interface reachable from the internet.

What could happen next?

Risk
Any enterprise running remote workers on unchecked consumer networking equipment has an unmonitored M365 credential-harvesting surface that conventional corporate endpoint telemetry cannot detect.
Consequence
SOHO router hardening will become a recognised enterprise security control requirement for remote-work environments, likely formalised in NCSC and NIST guidance updates in 2026 or 2027.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: APT28's 2017 operation against TV5Monde, in which the group gained access via a partner company's compromised credentials rather than direct network intrusion. The SOHO router campaign follows the same indirect-access logic: rather than attacking enterprise infrastructure directly, APT28 attacks the personal infrastructure of the people who access enterprise infrastructure, specifically the home network equipment used by privileged remote workers.

Counter-parallel: The 2022 Uber breach, in which a contractor's personal device was used to harvest Uber's VPN credentials via MFA fatigue, exposed the same structural gap from a financially motivated direction: personal-device and home-network security is outside enterprise MDM scope. Uber tightened its contractor device requirements; the structural problem is shared across enterprise security programmes.

Consensus view: RUSI's Justin Bronk and the UK's Joint Intelligence Organisation assess APT28 (GRU Unit 26165) as the Russian military intelligence unit most consistently active against NATO member civilian and government infrastructure, with the DNS hijacking campaign representing a maturation of the 'living off the land' technique the group pioneered during its DNC intrusion in 2016; the targeting of consumer-grade SOHO routers for enterprise credential harvesting is a deliberate blurring of the personal/corporate boundary.

Counter-view: Carnegie Moscow Center analysts argue that NCSC attribution advisories of this type serve a political signalling function, with the timing of the 7 April publication coordinated with diplomatic activity, and that the actual intelligence basis for specific GRU unit attribution is routinely withheld; the advisory's 'almost certainly' qualifier covers significant uncertainty about whether this is centralised GRU planning or operational unit autonomy.

Key tension: Whether enterprises can address this threat through technical controls on the corporate side (Conditional Access, device compliance posture) or whether the attack surface, which is the consumer router under a remote worker's kitchen table, is structurally outside enterprise control.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Different Perspectives

CISA and FBI (US government)

CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.

NCSC (UK)

NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.

European Commission

The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.

Russian foreign ministry (GRU posture)

The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.

People's Republic of China

Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.

Handala

Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.