(TLP:CLEAR) Russian APT Actors Exploit Vulnerable Routers for DNS Hijacking

Summary: On April 7, the FBI in coordination with other federal and international partners, released a Public Service Announcement (PSA) warning that Russian General Staff Main Intelligence Directorate (GRU) cyber actors are actively exploiting vulnerable, end-of-life routers to enable persistent access and facilitate follow-on activity, including credential harvesting and network reconnaissance. Similarly, the UK’s National Cyber Security Centre reports APT28 (GRU-affiliated group) is leveraging vulnerabilities to conduct DNS hijacking operations, redirecting legitimate traffic to adversary-controlled infrastructure.

Analyst Note: Members are encouraged to review the PSA and NCSC alert for specific tactics, techniques, and affected device types, and to implement the following mitigations:

• Identify and replace end-of-life networking equipment
• Update to latest firmware versions
• Change default usernames and passwords
• Disable remote management interfaces from the internet
• Monitor for unauthorized DNS configuration changes

Additional mitigation guidance and details are available within the referenced reports.

Original Sources:

• https://www.ic3.gov/PSA/2026/PSA260407
• https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations

Additional Reading:

• (TLP:CLEAR) FBI FLASH: Cyber Criminal Services Target End-of-Life Routers to Launch Attacks and Hide Their Activities

Related WaterISAC PIRs: 6, 7, 7.1, 8, 10, 10.2, 11, 12