7JUN

GRU hijacks home routers for M365 logins

3 min read

10:08UTC

NCSC attributed a DNS-hijack campaign to APT28, assessed with near-certainty as GRU Unit 26165. The target was the Outlook login in the kitchen.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyAssessed

Key takeaway

The Russian playbook now treats the home router of a remote worker as a credential-harvesting surface.

The UK National Cyber Security Centre (NCSC) published an attribution-backed advisory on 7 April 2026 stating that APT28, a Russian state hacking group the UK assesses "almost certainly" to be GRU Unit 26165 (the 85th Main Special Service Centre of Russia's military intelligence agency), has since 2024 exploited small-office and home-office (SOHO) routers to hijack Domain Name System (DNS) resolution and conduct adversary-in-the-middle credential theft ¹. DNS is the internet address-book service that translates human-readable names like `outlook.live.com` into numeric server addresses; control DNS and you control which server the user actually reaches.

The targeted hardware is mundane: TP-Link WR841N (via CVE-2023-50224), WR840N, ARCHeR C7, WDR4300 and several MikroTik models. The targeted services are not. APT28 rewrote the primary DNS entry on the compromised router to a Virtual Private Server (VPS) running `dnsmasq-2.85` on UDP port 53, while the secondary DNS stayed legitimate. Only `outlook.live.com` and `outlook.office365.com`, the Microsoft 365 sign-in endpoints, resolved to the attacker-controlled server; everything else resolved normally. For a director working from home on a default-configured TP-Link, their Outlook login passed through a GRU DNS server without anything unusual appearing in their browser.

Standard corporate network monitoring sees nothing anomalous because the traffic never crosses the corporate perimeter; the interception happens upstream of the user's home router. Conventional detection cannot fix this. Architecture can. The defensive response is to treat any user's local DNS environment as untrusted for authentication traffic, which in practice means binding Microsoft 365 sign-in flows to corporate-managed DNS over HTTPS, or forcing sign-in through a trusted tunnel rather than the home ISP's resolver. The US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center issued a coordinated public-service announcement, PSA260407, alongside the NCSC advisory.

Deep Analysis

In plain English

When you type a website address into your browser, your computer asks a service called DNS (Domain Name System) to translate that address into the numerical location of the actual server. Your home router handles this translation for all devices on your home network. Russian military intelligence (specifically, the GRU, Russia's Main Intelligence Directorate) has been hacking into cheap home routers, particularly TP-Link and MikroTik models, by exploiting security flaws or default passwords. Once inside the router, they secretly redirect only Microsoft email login pages to a server they control, while everything else works normally. The victim sees nothing unusual. When a remote worker then logs into their work email from home, their login credentials go to the GRU's server instead of Microsoft's. The GRU can then use those credentials to access the person's work account. The attack targets directors, managers, and anyone with privileged work email access.

Deep Analysis

Root Causes

Remote working policy deployed at scale since 2020 has permanently expanded the enterprise network boundary to include consumer-grade home networking equipment. Enterprise Conditional Access policies assess device compliance (EDR agent, OS version, patch level) but do not assess the network path the device uses. A fully compliant corporate laptop on a compromised home router is, from Microsoft Entra ID's perspective, indistinguishable from the same laptop on a clean network.

The selective DNS rewrite technique APT28 uses exploits the fact that consumer routers expose their DNS management interface on their default admin credentials, and many users never change those credentials. CVE-2023-50224 on the TP-Link WR841N is a specific credential-extraction path; but the underlying exposure exists on any router with a default-credential admin interface reachable from the internet.

What could happen next?

Risk
Any enterprise running remote workers on unchecked consumer networking equipment has an unmonitored M365 credential-harvesting surface that conventional corporate endpoint telemetry cannot detect.
Consequence
SOHO router hardening will become a recognised enterprise security control requirement for remote-work environments, likely formalised in NCSC and NIST guidance updates in 2026 or 2027.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: APT28's 2017 operation against TV5Monde, in which the group gained access via a partner company's compromised credentials rather than direct network intrusion. The SOHO router campaign follows the same indirect-access logic: rather than attacking enterprise infrastructure directly, APT28 attacks the personal infrastructure of the people who access enterprise infrastructure, specifically the home network equipment used by privileged remote workers.

Counter-parallel: The 2022 Uber breach, in which a contractor's personal device was used to harvest Uber's VPN credentials via MFA fatigue, exposed the same structural gap from a financially motivated direction: personal-device and home-network security is outside enterprise MDM scope. Uber tightened its contractor device requirements; the structural problem is shared across enterprise security programmes.

Consensus view: RUSI's Justin Bronk and the UK's Joint Intelligence Organisation assess APT28 (GRU Unit 26165) as the Russian military intelligence unit most consistently active against NATO member civilian and government infrastructure, with the DNS hijacking campaign representing a maturation of the 'living off the land' technique the group pioneered during its DNC intrusion in 2016; the targeting of consumer-grade SOHO routers for enterprise credential harvesting is a deliberate blurring of the personal/corporate boundary.

Counter-view: Carnegie Moscow Center analysts argue that NCSC attribution advisories of this type serve a political signalling function, with the timing of the 7 April publication coordinated with diplomatic activity, and that the actual intelligence basis for specific GRU unit attribution is routinely withheld; the advisory's 'almost certainly' qualifier covers significant uncertainty about whether this is centralised GRU planning or operational unit autonomy.

Key tension: Whether enterprises can address this threat through technical controls on the corporate side (Conditional Access, device compliance posture) or whether the attack surface, which is the consumer router under a remote worker's kitchen table, is structurally outside enterprise control.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Causes and effects

This Event

GRU hijacks home routers for M365 logins

A consumer router under a remote worker's desk is now a credential-collection point the corporate perimeter cannot see.

Led to

Magento RCE forces 9-day patch race

The 17-year-old Office RCE listed by CISA in April (ID:2547) established the pattern of legacy CVEs entering active exploitation long after patching; the Magento KEV addition nine days after Adobe's patch follows the same patch-lag dynamic.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.