Back

APT28 Exploits Vulnerable Routers for Global DNS Hijacking Campaign

Severity: High (Score: 77.9)

Sources: Wired-Gov, Cybersecuritynews, Justice, Cyberscoop, Prm.Ua

Summary

Russian cyber group APT28, also known as Fancy Bear, has been exploiting vulnerabilities in TP-Link and MikroTik routers to conduct large-scale DNS hijacking operations. This campaign, which has affected over 18,000 devices across 120 countries, allows attackers to intercept internet traffic and steal sensitive information, including passwords and access tokens. The group has been leveraging known vulnerabilities, such as CVE-2023-50224, to modify DNS settings and redirect users to malicious servers. The U.S. Department of Justice and FBI recently announced the takedown of a significant portion of this infrastructure in an operation dubbed 'Operation Masquerade.' The attacks have primarily targeted military, government, and critical infrastructure sectors. Authorities are urging users to update their devices and follow security best practices to mitigate risks. The NCSC and Microsoft have issued advisories detailing the ongoing threat and the need for immediate action. Key Points: • APT28 has compromised over 18,000 routers globally, targeting sensitive sectors. • The group exploits vulnerabilities in TP-Link and MikroTik routers to hijack DNS traffic. • Operation Masquerade successfully disrupted a significant portion of APT28's infrastructure.

Key Entities

  • Apt28 (apt_group)
  • APT 28 (apt_group)
  • Fancy Bear (apt_group)
  • Forest Blizzard (apt_group)
  • GRU (apt_group)
  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Malware (attack_type)
  • Man-in-the-Middle (attack_type)
  • Phishing (attack_type)
  • FrostArmada (campaign)
  • Operation Masquerade (campaign)
  • Stop! Think Fraud (campaign)
  • Democratic National Committee (company)
  • Democratic Party (company)
  • German Air Traffic Control (company)
  • German Bundestag (company)
  • German Parliament (company)
  • MicroTik (platform)
  • MikroTik (platform)
  • Microsoft Outlook (platform)
  • Microsoft Outlook Web Access (platform)
  • Afghanistan (country)
  • France (country)
  • Germany (country)
  • Poland (country)
  • Romania (country)
  • CVE-2023-50224 (cve)
  • globe.com (domain)
  • Energy (industry)
  • Government (industry)
  • Technology (industry)
  • Authentic Antics (malware)
  • Jaguar Tooth (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1071.004 - DNS (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • DNSmasq (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed