14JUN

GRU hijacks home routers for M365 logins

3 min read

11:51UTC

NCSC attributed a DNS-hijack campaign to APT28, assessed with near-certainty as GRU Unit 26165. The target was the Outlook login in the kitchen.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyAssessed

Key takeaway

The Russian playbook now treats the home router of a remote worker as a credential-harvesting surface.

The UK National Cyber Security Centre (NCSC) published an attribution-backed advisory on 7 April 2026 stating that APT28, a Russian state hacking group the UK assesses "almost certainly" to be GRU Unit 26165 (the 85th Main Special Service Centre of Russia's military intelligence agency), has since 2024 exploited small-office and home-office (SOHO) routers to hijack Domain Name System (DNS) resolution and conduct adversary-in-the-middle credential theft ¹. DNS is the internet address-book service that translates human-readable names like `outlook.live.com` into numeric server addresses; control DNS and you control which server the user actually reaches.

The targeted hardware is mundane: TP-Link WR841N (via CVE-2023-50224), WR840N, ARCHeR C7, WDR4300 and several MikroTik models. The targeted services are not. APT28 rewrote the primary DNS entry on the compromised router to a Virtual Private Server (VPS) running `dnsmasq-2.85` on UDP port 53, while the secondary DNS stayed legitimate. Only `outlook.live.com` and `outlook.office365.com`, the Microsoft 365 sign-in endpoints, resolved to the attacker-controlled server; everything else resolved normally. For a director working from home on a default-configured TP-Link, their Outlook login passed through a GRU DNS server without anything unusual appearing in their browser.

Standard corporate network monitoring sees nothing anomalous because the traffic never crosses the corporate perimeter; the interception happens upstream of the user's home router. Conventional detection cannot fix this. Architecture can. The defensive response is to treat any user's local DNS environment as untrusted for authentication traffic, which in practice means binding Microsoft 365 sign-in flows to corporate-managed DNS over HTTPS, or forcing sign-in through a trusted tunnel rather than the home ISP's resolver. The US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center issued a coordinated public-service announcement, PSA260407, alongside the NCSC advisory.

Deep Analysis

In plain English

When you type a website address into your browser, your computer asks a service called DNS (Domain Name System) to translate that address into the numerical location of the actual server. Your home router handles this translation for all devices on your home network. Russian military intelligence (specifically, the GRU, Russia's Main Intelligence Directorate) has been hacking into cheap home routers, particularly TP-Link and MikroTik models, by exploiting security flaws or default passwords. Once inside the router, they secretly redirect only Microsoft email login pages to a server they control, while everything else works normally. The victim sees nothing unusual. When a remote worker then logs into their work email from home, their login credentials go to the GRU's server instead of Microsoft's. The GRU can then use those credentials to access the person's work account. The attack targets directors, managers, and anyone with privileged work email access.

Deep Analysis

Root Causes

Remote working policy deployed at scale since 2020 has permanently expanded the enterprise network boundary to include consumer-grade home networking equipment. Enterprise Conditional Access policies assess device compliance (EDR agent, OS version, patch level) but do not assess the network path the device uses. A fully compliant corporate laptop on a compromised home router is, from Microsoft Entra ID's perspective, indistinguishable from the same laptop on a clean network.

The selective DNS rewrite technique APT28 uses exploits the fact that consumer routers expose their DNS management interface on their default admin credentials, and many users never change those credentials. CVE-2023-50224 on the TP-Link WR841N is a specific credential-extraction path; but the underlying exposure exists on any router with a default-credential admin interface reachable from the internet.

What could happen next?

Risk
Any enterprise running remote workers on unchecked consumer networking equipment has an unmonitored M365 credential-harvesting surface that conventional corporate endpoint telemetry cannot detect.
Consequence
SOHO router hardening will become a recognised enterprise security control requirement for remote-work environments, likely formalised in NCSC and NIST guidance updates in 2026 or 2027.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: APT28's 2017 operation against TV5Monde, in which the group gained access via a partner company's compromised credentials rather than direct network intrusion. The SOHO router campaign follows the same indirect-access logic: rather than attacking enterprise infrastructure directly, APT28 attacks the personal infrastructure of the people who access enterprise infrastructure, specifically the home network equipment used by privileged remote workers.

Counter-parallel: The 2022 Uber breach, in which a contractor's personal device was used to harvest Uber's VPN credentials via MFA fatigue, exposed the same structural gap from a financially motivated direction: personal-device and home-network security is outside enterprise MDM scope. Uber tightened its contractor device requirements; the structural problem is shared across enterprise security programmes.

Consensus view: RUSI's Justin Bronk and the UK's Joint Intelligence Organisation assess APT28 (GRU Unit 26165) as the Russian military intelligence unit most consistently active against NATO member civilian and government infrastructure, with the DNS hijacking campaign representing a maturation of the 'living off the land' technique the group pioneered during its DNC intrusion in 2016; the targeting of consumer-grade SOHO routers for enterprise credential harvesting is a deliberate blurring of the personal/corporate boundary.

Counter-view: Carnegie Moscow Center analysts argue that NCSC attribution advisories of this type serve a political signalling function, with the timing of the 7 April publication coordinated with diplomatic activity, and that the actual intelligence basis for specific GRU unit attribution is routinely withheld; the advisory's 'almost certainly' qualifier covers significant uncertainty about whether this is centralised GRU planning or operational unit autonomy.

Key tension: Whether enterprises can address this threat through technical controls on the corporate side (Conditional Access, device compliance posture) or whether the attack surface, which is the consumer router under a remote worker's kitchen table, is structurally outside enterprise control.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Causes and effects

This Event

GRU hijacks home routers for M365 logins

A consumer router under a remote worker's desk is now a credential-collection point the corporate perimeter cannot see.

Led to

Magento RCE forces 9-day patch race

The 17-year-old Office RCE listed by CISA in April (ID:2547) established the pattern of legacy CVEs entering active exploitation long after patching; the Magento KEV addition nine days after Adobe's patch follows the same patch-lag dynamic.

Occurred 3 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.