Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns

200 orgs and 5,000 devices compromised so far in Vlad's latest intelligence grab, Microsoft reckons
The UK's National Cyber Security Centre (NCSC) has issued a fresh warning about Russia's ongoing targeting of routers to steal passwords and other secrets.

In many cases, altering these DNS settings can also cause downstream devices to inherit them, such as laptops and smartphones, exposing them to malicious connections.

Fancy Bear typically reroutes victims searching for commonly visited services such as Outlook to websites under its control.

Victims are instead served an Outlook copycat page, into which they unwittingly enter their legitimate credentials to access the service.

TP-Link routers were name-dropped specifically, although Cisco routers were previously caught up in the same activity, which the NCSC has monitored since 2021.

A separate cluster of similar activity targeted MikroTik routers.

The NCSC believes many of these were located in Ukraine, and compromising them would allow Russia to gather data with military intelligence value.

Although the DNS hijacking activity has been ongoing for years and was carried out by sophisticated threat actors, the NCSC said it was likely opportunistic rather than singling out high-value individuals for targeting.

Paul Chichester, director of operations at the NCSC, said: "This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors.

"We strongly encourage organizations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.

"The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks."
Microsoft also published its own report on the attacks , adding that APT28 (Forest Blizzard in Redmond nomenclature) was likely hoping to compromise routers at organizations upstream of large targets.

In doing so, that could give the group access to enterprise environments and a trove of other sensitive data.

It stated: "Microsoft Threat Intelligence has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard's malicious DNS infrastructure; telemetry did not indicate compromise of Microsoft-owned assets or services."
Microsoft went on to say that APT28 could also use successful attacks for other purposes, such as DDoS attacks and deploying malware.

One of the NCSC's earlier advisories, dated April 2023, noted that similar attacks on Cisco routers resulted in APT28 deploying Jaguar Tooth malware , establishing backdoors for follow-on attacks.

®