216.73.217.22

APT28 exploit routers to enable DNS hijacking operations

· Published 07/04/2026 15:57 · Modified 08/04/2026 11:02

Export JSON

Essential information

Published
07/04/2026 15:57
Modified
08/04/2026 11:02
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
apt28 dns hijacking exploit oauth russia tp-link
Tags
2026-04-07 apt28 dns hijacking exploit oauth russia tp-link
Related entities
1 vulnerabilities (cve), 58 indicators, 58 observables, 1 intrusion sets (apt), 6 techniques (mitre)

Description

Russian cyber actors have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

External references