Fancy Bear, aka APT28, a group attributed to Russian military intelligence (GRU), is breaking into home and office routers across the United Kingdom to steal passwords and other secrets, the country’s National Cyber Security Centre (NCSC) has warned.
-
Russian military hackers (Fancy Bear/APT28) compromised TP-Link routers across the UK and globally by exploiting vulnerabilities and changing DNS settings.
-
Victims were redirected to fake websites controlled by the attackers, where they unknowingly entered their real passwords and credentials for services like Outlook.
-
Over 200 organizations and 5,000 devices affected according to Microsoft, with UK, German, and US cybersecurity agencies issuing warnings and mitigation advice.
-
TP-Link routers are primary targets: At least 23 TP-Link router models have been exploited, with the full scope likely much larger. The widespread use of TP-Link devices globally makes them an attractive target for sophisticated state-sponsored hackers.
According to NCSC, Fancy Bear has been exploiting vulnerabilities in small and home office (SOHO) routers and changing their DNS server settings to redirect victims to websites it controls.
Changing the DNS settings can cause devices such as laptops and smartphones to inherit them and, of course, expose them to malicious connections.
“Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens, and other credentials for web and email-related services,” NCSC said in a news release.
“This puts organizations at risk of credential theft, data manipulation, and broader compromise.”
The DNS hijacking operations are believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain, the NCSC added.
Typically, Fancy Bear reroutes victims searching for commonly visited and popular services, such as Outlook, to websites it controls. Users are served, say, an Outlook copycat page where they enter their legitimate credentials to access the service.
According to Lukasz Olejnik, an independent cybersecurity researcher, the technique used by Fancy Bear is elegant and simple.
“They compromise the router, rewrite its DNS settings, and every device connected to it – laptops, phones – start resolving website addresses through attacker-controlled servers. Type in outlook/./com, land on a lookalike. Enter your password. Gone with the wind,” he said.
It looks like TP-Link routers – made in China – are attacked most often. NCSC names as many as 23 different TP-Link router models targeted by Fancy Bear, and adds that the list probably isn’t full.
TP-Link routers are popular worldwide, but top US federal agencies are backing a proposal to ban future sales of the devices due to alleged influence from Beijing.
Earlier last year, the US Cybersecurity and Infrastructure Security Agency said that hackers were actively exploiting vulnerabilities in TP-Link routers.
“This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors,” said Paul Chichester, NCSC Director of Operations.
Check if your data has been leaked
“We strongly encourage organizations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.”
Organizations are urged to strengthen the protection of system management interfaces, ensure devices and software are maintained and up to date, and set up two-factor verification.
Germany’s domestic intelligence agency has also warned of cyberattacks by the Russian state-linked hacker group APT28, saying it had compromised vulnerable TP-Link routers to spy on military, government and critical infrastructure targets.
Microsoft Threat Intelligence said it has identified over 200 organizations and 5,000 consumer devices impacted by Fancy Bear's malicious DNS infrastructure so far.
The Federal Office for the Protection of the Constitution (BfV) said the warning was issued with partners including Germany's foreign intelligence agency, BND, and the FBI.
The group attacked several thousand routers globally, the BfV said, including around 30 vulnerable devices in Germany. In some cases, compromise was confirmed, prompting operators to replace affected routers.
Microsoft has also had a say on the most recent attacks, explaining that Fancy Bear was likely attempting to compromise routers at organizations upstream of large targets. That way, the group could gain access to enterprise environments.
Microsoft Threat Intelligence said it has identified over 200 organizations and 5,000 consumer devices impacted by Fancy Bear's malicious DNS infrastructure so far.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked