A joint advisory from the UK NCSC, NSA, CISA, and European partner agencies published in April 2026 details an APT28 campaign targeting SOHO routers, specifically unpatched TP-Link devices, to perform DNS hijacking against NATO member defense organizations and Ukrainian government prosecutors. The campaign has been active since at least mid-2025. 27 emails from the Greek Hellenic National Defence General Staff were captured. Over 170 Ukrainian prosecutorial and investigative accounts were compromised. The method: your router, not your laptop, was the entry point.
When an attacker controls your router's DNS resolver, credential theft happens at the network layer. Endpoint detection tools running on the victim's laptop see a normal HTTPS connection to what appears to be login.microsoftonline.com. The interception is invisible to the end user and most security tooling.
The Technique: Router-Based AiTM
APT28's technique in this campaign is adversary-in-the-middle (AiTM) credential capture via compromised SOHO routers. The attack begins with exploitation of CVE-2023-50224, an authentication bypass in TP-Link Archer routers that was patched in December 2023 but remains unpatched on tens of thousands of devices deployed in homes and small offices across NATO countries.
Once inside the router, APT28 modifies the DNS resolver configuration to point to their own controlled DNS servers. The change is typically limited to specific domains: Microsoft 365 authentication endpoints including login.microsoftonline.com, login.microsoft.com, and associated OAuth redirect URLs. All other DNS resolution continues normally. The victim experiences no obvious connectivity disruption.
When a user on the network authenticates to Microsoft 365, their browser resolves the M365 login domain to an APT28-controlled IP serving a cloned authentication page over valid HTTPS. The attacker's infrastructure obtains a legitimate SSL certificate for the phishing domain using automated certificate issuance, making the browser padlock appear green. Credentials and session tokens are captured in real time and forwarded to the legitimate M365 service, so the user completes login successfully and sees no error.
The session token capture is the critical element. Modern MFA protects credentials but not session tokens. Once APT28 captures the post-authentication session token from an M365 login, they can replay it from their own infrastructure to access the victim's mailbox, SharePoint, and Teams data without needing the password or satisfying the MFA prompt.
Attack Path
Who Was Targeted and What Was Taken
The advisory identifies two primary target sets. The first is the Greek Hellenic National Defence General Staff (HNDGS), Greece's senior military command. 27 email accounts were confirmed compromised. The content of the captured emails has not been publicly disclosed, but HNDGS coordinates NATO operations in the Eastern Mediterranean region, making it a high-value intelligence target for GRU operations.
The second target set is Ukrainian prosecutors and criminal investigators. Over 170 accounts were compromised across several Ukrainian law enforcement agencies. Ukraine's Prosecutor General's Office handles war crimes investigations, including documentation of Russian military conduct in occupied territories. Access to those accounts represents a significant counterintelligence objective for Russian military intelligence.
The advisory notes that APT28 has been using this SOHO router exploitation technique across multiple campaigns since at least 2023. The specific TP-Link vulnerability is new; the broader method of pivoting through unmanaged network devices to avoid endpoint detection is a consistent GRU tradecraft pattern documented across multiple prior campaigns.
Mitigation and Defensive Measures
The immediate technical action is to patch or replace affected TP-Link routers. CVE-2023-50224 affects the TP-Link Archer AX21, AX17, AX55, and several related models. Firmware version 1.1.4 Build 20230219 or later addresses the vulnerability. If firmware update is not possible, the router should be replaced.
Beyond the specific vulnerability, the campaign highlights a broader defensive gap: most organizations have no visibility into the DNS resolver settings on SOHO devices used by employees working from home or small offices. When the router is compromised, the endpoint looks fine, the laptop looks fine, and the M365 logs show a successful login from a known IP. The anomaly is visible only at the router or in the DNS layer.
- Patch TP-Link routers to firmware 1.1.4 Build 20230219 or later; replace end-of-life models immediately
- Enforce DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) on managed endpoints so DNS resolution bypasses the local router resolver
- Deploy Microsoft Entra ID Conditional Access policies requiring compliant devices; session tokens stolen via AiTM cannot satisfy device compliance checks
- Enable Microsoft 365 Continuous Access Evaluation (CAE) to revoke sessions when anomalous access patterns are detected
- Audit sign-in logs for impossible travel or concurrent sessions from different geographic locations
- Educate remote workers to verify their router's DNS settings periodically; expected upstream resolvers should match their ISP or a known resolver like 1.1.1.1 or 8.8.8.8
- Consider hardware security keys (FIDO2) as the MFA method; FIDO2 is phishing-resistant and immune to the session token relay attack
TOTP codes and push notifications can be bypassed by AiTM attacks. FIDO2 hardware keys (YubiKey, Titan) bind authentication to the legitimate domain at the cryptographic level. Even if DNS is hijacked, a FIDO2 authenticator will refuse to authenticate to a spoofed domain.
Is Your Remote Work Infrastructure Visible?
APT28's SOHO router pivot works because organizations have no visibility into the network layer below the endpoint. RedEye Security can assess your remote work attack surface and recommend controls that defend against network-layer credential theft.
Request an Assessment