APT 28, a Russian cyber actor, has been exploiting routers to redirect DNS traffic through attacker-controlled servers, facilitating adversary-in-the-middle attacks. This method enables the theft of sensitive credentials such as passwords and OAuth tokens, posing significant risks to organizations. The activities involve modifying DHCP/DNS settings on compromised devices, primarily small office/home office routers, to route traffic through malicious servers.
APT28's operations appear opportunistic, initially targeting a broad range of victims before narrowing down to those of potential intelligence interest. Mitigation strategies include updating management interfaces, using multi-factor authentication, and maintaining up-to-date systems to protect against these tactics.