Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

GRU hijacks home routers for M365 logins

3 min read
10:57UTC

NCSC attributed a DNS-hijack campaign to APT28, assessed with near-certainty as GRU Unit 26165. The target was the Outlook login in the kitchen.

TechnologyAssessed
Key takeaway

The Russian playbook now treats the home router of a remote worker as a credential-harvesting surface.

The UK National Cyber Security Centre (NCSC) published an attribution-backed advisory on 7 April 2026 stating that APT28, a Russian state hacking group the UK assesses "almost certainly" to be GRU Unit 26165 (the 85th Main Special Service Centre of Russia's military intelligence agency), has since 2024 exploited small-office and home-office (SOHO) routers to hijack Domain Name System (DNS) resolution and conduct adversary-in-the-middle credential theft 1. DNS is the internet address-book service that translates human-readable names like `outlook.live.com` into numeric server addresses; control DNS and you control which server the user actually reaches.

The targeted hardware is mundane: TP-Link WR841N (via CVE-2023-50224), WR840N, ARCHeR C7, WDR4300 and several MikroTik models. The targeted services are not. APT28 rewrote the primary DNS entry on the compromised router to a Virtual Private Server (VPS) running `dnsmasq-2.85` on UDP port 53, while the secondary DNS stayed legitimate. Only `outlook.live.com` and `outlook.office365.com`, the Microsoft 365 sign-in endpoints, resolved to the attacker-controlled server; everything else resolved normally. For a director working from home on a default-configured TP-Link, their Outlook login passed through a GRU DNS server without anything unusual appearing in their browser.

Standard corporate network monitoring sees nothing anomalous because the traffic never crosses the corporate perimeter; the interception happens upstream of the user's home router. Conventional detection cannot fix this. Architecture can. The defensive response is to treat any user's local DNS environment as untrusted for authentication traffic, which in practice means binding Microsoft 365 sign-in flows to corporate-managed DNS over HTTPS, or forcing sign-in through a trusted tunnel rather than the home ISP's resolver. The US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center issued a coordinated public-service announcement, PSA260407, alongside the NCSC advisory.

Deep Analysis

In plain English

When you type a website address into your browser, your computer asks a service called DNS (Domain Name System) to translate that address into the numerical location of the actual server. Your home router handles this translation for all devices on your home network. Russian military intelligence (specifically, the GRU, Russia's Main Intelligence Directorate) has been hacking into cheap home routers, particularly TP-Link and MikroTik models, by exploiting security flaws or default passwords. Once inside the router, they secretly redirect only Microsoft email login pages to a server they control, while everything else works normally. The victim sees nothing unusual. When a remote worker then logs into their work email from home, their login credentials go to the GRU's server instead of Microsoft's. The GRU can then use those credentials to access the person's work account. The attack targets directors, managers, and anyone with privileged work email access.

Deep Analysis
Root Causes

Remote working policy deployed at scale since 2020 has permanently expanded the enterprise network boundary to include consumer-grade home networking equipment. Enterprise Conditional Access policies assess device compliance (EDR agent, OS version, patch level) but do not assess the network path the device uses. A fully compliant corporate laptop on a compromised home router is, from Microsoft Entra ID's perspective, indistinguishable from the same laptop on a clean network.

The selective DNS rewrite technique APT28 uses exploits the fact that consumer routers expose their DNS management interface on their default admin credentials, and many users never change those credentials. CVE-2023-50224 on the TP-Link WR841N is a specific credential-extraction path; but the underlying exposure exists on any router with a default-credential admin interface reachable from the internet.

What could happen next?
  • Risk

    Any enterprise running remote workers on unchecked consumer networking equipment has an unmonitored M365 credential-harvesting surface that conventional corporate endpoint telemetry cannot detect.

  • Consequence

    SOHO router hardening will become a recognised enterprise security control requirement for remote-work environments, likely formalised in NCSC and NIST guidance updates in 2026 or 2027.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.