We recently analyzed a series of anomalous DNS resolution patterns originating from a Small Office/Home Office (SOHO) environment that utilized a MikroTik RB951G-2HnD router. The traffic patterns indicated that despite the router being configured to use 1.1.1.1 (Cloudflare) for resolution, a significant portion of outbound UDP/53 traffic was being redirected to an IP address previously associated with APT28 infrastructure. This was not a simple local malware infection; it was a sophisticated DNS hijacking maneuver targeting the gateway itself.
Understanding APT28 and the Threat of DNS Hijacking
Who is APT28? (Fancy Bear / Pawn Storm)
APT28, also known as Fancy Bear, Pawn Storm, or Strontium, is a cyber-espionage group attributed by multiple intelligence agencies to the Russian General Staff Main Intelligence Directorate (GRU) Unit 26165. We have tracked their activities for over a decade, observing a consistent focus on government, military, and diplomatic entities. Unlike financially motivated actors, APT28 prioritizes strategic intelligence gathering and geopolitical influence.
In the context of SOHO infrastructure, APT28 views these environments as the "soft underbelly" of the enterprise. Employees working from home often use hardware that lacks the rigorous patching cycles of corporate data centers. By compromising a home router, APT28 gains a persistent foothold that bypasses corporate VPNs if those VPNs are not configured for "Full Tunnel" mode with strict DNS enforcement.
Defining DNS Hijacking in the Context of State-Sponsored Cyber Espionage
DNS hijacking involves the unauthorized redirection of DNS queries to a rogue DNS server controlled by the attacker. In state-sponsored campaigns, this is rarely about injecting ads. Instead, APT28 uses it to facilitate Man-in-the-Middle (MitM) attacks. By controlling the DNS response, they can point outlook.office365.com or a government portal to a pixel-perfect phishing clone, capturing credentials in real-time before the user is redirected to the actual service.
Why APT28 Favors DNS Redirection Over Traditional Malware
We observed that APT28 increasingly favors infrastructure-level attacks over traditional file-based malware for several reasons:
- Stealth: DNS redirection leaves no footprint on the endpoint's disk. Traditional EDR (Endpoint Detection and Response) tools may not flag a legitimate browser connecting to a "legitimate" IP address if the DNS resolution was compromised at the network layer.
- Persistence: If an attacker modifies the DNS settings on a SOHO router, the compromise survives OS reinstalls and mobile device wipes.
- Scale: A single compromised router can impact every device in the household, from corporate laptops to personal smartphones and IoT devices.
The Mechanics of an APT28 DNS Hijacking Campaign
Initial Access: Credential Harvesting and Phishing
The campaign often begins with targeted phishing. We have seen APT28 use "expiring password" lures that lead to a fake OWA (Outlook Web App) login, a technique frequently documented in the OWASP Top 10. However, their more technical approach involves scanning for exposed management interfaces of SOHO routers. In many Indian SOHO setups, Local Cable Operators (LCOs) deploy GPON/ONT devices with default credentials like admin/admin or admin/password, which are easily exploitable via automated scripts.
Compromising Domain Registrars and Managed DNS Providers
A more sophisticated tactic involves compromising the administrative accounts at domain registrars. By gaining access to a registrar account, APT28 can change the Glue Records or the Name Server (NS) settings for an entire domain. We observed this in the 2019 DNS hijacking wave where multiple government domains had their NS records pointed to attacker-controlled VPS instances for short windows of time to harvest SSL certificates via ACME (Let's Encrypt) challenges.
Manipulating A-Records and Name Server (NS) Settings
Once the attacker has control over the DNS settings—either through the router or the registrar—they manipulate the A-records. For example, they might target a specific subdomain used for internal VPN authentication. By pointing vpn.agency.gov.in to a rogue IP, they can intercept the initial IKE/Auth packets. We used the following command to verify the current resolution against a known clean source:
$ dig +short @8.8.8.8 vpn.target-agency.gov.in
$ dig +short @[Router_IP] vpn.target-agency.gov.in
If the results differ, and the second command returns an IP registered to a high-risk ASN (e.g., a known bulletproof hoster), hijacking is confirmed.
The Role of Rogue SSL/TLS Certificates in Traffic Interception
To prevent browser warnings, APT28 often generates legitimate SSL certificates for the hijacked domains. They use the DNS-01 challenge type, which requires them to create a specific TXT record in the hijacked DNS zone. Since they control the DNS, they can pass the challenge and obtain a valid certificate from Let's Encrypt or ZeroSSL, making the MitM attack nearly indistinguishable from a legitimate session for the end-user.
Strategic Objectives: Why APT28 Targets DNS Infrastructure
Man-in-the-Middle (MitM) Attacks for Data Exfiltration
The primary goal is interception. Once the DNS is hijacked, the attacker sits between the user and the destination. We have seen them use tools like bettercap or custom proxies on their rogue servers to strip STARTTLS from mail connections or downgrade HTTPS to HTTP where possible, though the latter is increasingly difficult with HSTS (HTTP Strict Transport Security).
Intercepting Government and Diplomatic Communications
In the Indian context, we have noted APT28's interest in entities involved in national security and infrastructure. By hijacking DNS for nic.in subdomains, they can potentially intercept sensitive diplomatic cables or internal communications. This is particularly relevant given the DPDP Act 2023, which mandates strict data protection; a DNS hijack represents a catastrophic failure of these protections, potentially leading to massive fines under Section 33 of the Act, which can reach ₹250 crore for significant breaches.
Bypassing Traditional Perimeter Defenses
Most firewalls are configured to allow outbound UDP/53. APT28 exploits this by tunneling data through DNS queries (DNS Exfiltration). They encode stolen data into the subdomains of a query, which their rogue DNS server then reconstructs. We monitored this behavior using tshark to analyze the length and frequency of DNS queries:
# Monitoring for unusually long DNS queries (potential exfiltration)
tshark -i eth0 -f "udp port 53" -T fields -e dns.qry.name | awk 'length($0) > 50'
Long-term Persistence and Stealthy Reconnaissance
DNS hijacking allows APT28 to perform "Passive Reconnaissance." By simply observing the DNS queries coming from a SOHO network, they can map out the software stack of the target: what antivirus they use, what cloud services they frequent, and what internal hostnames they attempt to resolve. This metadata is invaluable for planning secondary stages of an attack.
Historical Case Studies of APT28 DNS Attacks
Targeting Middle Eastern and European Government Agencies
Historically, APT28 has targeted the Ministries of Foreign Affairs (MFA) in multiple European countries. In these incidents, the attackers did not compromise the MFA networks directly. Instead, they compromised the DNS providers used by the MFAs, allowing them to redirect webmail traffic. This demonstrated that even a perfectly secured internal network is vulnerable if the external DNS chain is weak.
The Impact on International Organizations and NGOs
Organizations like the WADA (World Anti-Doping Agency) and various NGOs have been targeted during sensitive geopolitical events. In these cases, DNS hijacking was used to redirect users to credential-harvesting sites to steal internal reports. The stealthy nature of these attacks meant they often went undetected for months.
Lessons Learned from Past DNS Redirection Incidents
The key takeaway from these incidents is that DNS is a "trust-based" protocol that was never designed with security as a primary concern. The shift toward DNSSEC (DNS Security Extensions) has been slow, and APT28 exploits this lag. We have learned that monitoring "Passive DNS" (pDNS) is the only way to catch these changes in real-time across the global internet.
How to Detect APT28 DNS Tampering
Monitoring Passive DNS (pDNS) for Anomalous Changes
We recommend using pDNS services like SecurityTrails or PassiveTotal to monitor your domains. If you see an A-record change to an IP address in a country where you have no business operations, it should trigger an immediate investigation. For local detection, we use tcpdump to monitor for DNS responses that do not match our expected upstream providers:
# Identify DNS traffic not going to authorized resolvers
tcpdump -i any -nn port 53 and not host 8.8.8.8 and not host 1.1.1.1 and not host 192.168.1.1
Auditing WHOIS Information and Name Server Records
Regularly audit your WHOIS data. APT28 sometimes changes the administrative email address to one they control (e.g., [email protected] instead of [email protected]) to facilitate future password resets. We use the following CLI check for a quick audit:
$ whois target-agency.gov.in | grep -E "Name Server|Admin Email|Updated Date"Identifying Unauthorized SSL Certificate Issuance (CT Logs)
Certificate Transparency (CT) logs are a goldmine for detection. If a certificate is issued for your domain by a CA (Certificate Authority) you don't use, it is a strong indicator that someone has successfully hijacked your DNS to pass a challenge. Tools like crt.sh or Facebook’s CT Monitoring tool can automate this. We can also check a specific IP for an unauthorized DoT (DNS-over-TLS) listener, which APT28 sometimes uses for encrypted C2:
openssl s_client -connect [Suspicious_DNS_IP]:853 -showcertsAnalyzing Traffic Latency and Unexpected Routing Paths
DNS hijacking can sometimes introduce latency. If a query that usually takes 20ms suddenly takes 150ms, the traffic might be being routed through a transparent proxy in a different geographic region. We use mtr (My Traceroute) to see the path of DNS packets:
$ mtr --udp -P 53 -c 10 8.8.8.8Mitigation and Defense Best Practices
Implementing DNS Security Extensions (DNSSEC)
DNSSEC adds a digital signature to DNS records, ensuring that the data received from the resolver is the same as the data entered by the domain owner. While it does not encrypt the traffic, it prevents spoofing. In India, many registrar platforms provided by NIXI (National Internet Exchange of India) support DNSSEC for .in domains. We strongly advise enabling this for all government and corporate domains.
Enabling Registry Locks to Prevent Unauthorized Domain Changes
A "Registry Lock" is a manual process at the registrar level that requires out-of-band verification (like a phone call or a physical token) before any changes can be made to the domain's NS records. This is the single most effective defense against the high-level registrar compromises favored by APT28.
Enforcing Multi-Factor Authentication (MFA) for Registrar Accounts
Standard MFA is insufficient if it is SMS-based, as APT28 is known for SIM-swapping and SS7 attacks. We mandate the use of FIDO2/WebAuthn hardware keys (like YubiKeys) for all accounts with the power to modify DNS settings. This prevents credential harvesting from leading to a full domain takeover.
Adopting Zero Trust Architecture for Network Traffic
In a Zero Trust model, we do not trust the network's DNS. We configure endpoints to use encrypted DNS protocols like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) directly to trusted providers, bypassing the SOHO router's settings entirely. For administrators managing these environments, using a browser based SSH client ensures that management traffic remains encrypted and authenticated regardless of the local network state. On a Ubiquiti EdgeRouter, we can verify the DNS configuration with:
ssh admin@router_ip 'show configuration service dns'If the forwarding section contains unknown IPs, the router is compromised.
Technical Deep Dive: SIEM Detection Logic
To detect APT28 tactics at scale, we utilize SIEM (Security Information and Event Management) rules. Specifically, we look for DNS queries to non-standard resolvers. Below is a Logstash filter configuration we developed to tag suspicious DNS traffic for further analysis in an ELK stack:
filter {
if [dest_port] == 53 { if [dest_ip] not in ["8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1", "192.168.1.1"] { mutate { add_tag => ["DNS_HIJACK_SUSPECT"] add_field => { "threat_actor" => "APT28" } add_field => { "mitre_tactic" => "T1562" } } ruby { code => "event.set('analysis_required', true)" } } } }
This logic flags any outbound DNS traffic that bypasses our approved internal and external resolvers. In an Indian SME context, where employees might be using a variety of LCO-provided routers, this rule is essential for identifying compromised home-office hardware.
Analyzing CVE-2018-14847: The MikroTik Gateway
One of the most significant vulnerabilities exploited by APT28 is CVE-2018-14847, documented in the NIST NVD. This directory traversal vulnerability in MikroTik WinBox allowed attackers to read the user.dat file and extract plain-text credentials. Once they had access, they would modify the /ip dns settings to point to their own servers. We still see this vulnerability being targeted today in unpatched Indian SOHO environments.
# Checking MikroTik version for vulnerability via CLI
/system resource print
If the version is older than 6.42.1, the device is critically vulnerable and likely already compromised if exposed to the internet.
CVE-2023-38831 and the 'OceanMap' Backdoor
More recently, APT28 has used a WinRAR vulnerability (CVE-2023-38831) to deploy the 'OceanMap' backdoor. This malware is particularly insidious because it modifies the local Windows DNS suffix search list. By adding a rogue suffix, they can force the system to resolve internal-sounding hostnames (like fileserver) to an attacker-controlled external IP. We monitor for these registry changes using Sysmon (Event ID 13):
# PowerShell check for suspicious DNS suffixes
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" | Select-Object SearchList, NVDomain
Practical Steps for Indian SOHO Hardening
In India, the reliance on Local Cable Operators (LCOs) creates a unique risk profile. LCOs often provide ONT (Optical Network Terminal) devices from brands like Syrotech, Netlink, or Genexis. These devices frequently have hardcoded ISP DNS settings that cannot be changed through the standard GUI, or they run end-of-life (EoL) firmware vulnerable to CVE-2021-20090.
- Bridge Mode: We recommend putting the LCO-provided ONT into "Bridge Mode" and using a modern, well-supported router (e.g., Ubiquiti, pfSense, or a higher-end ASUS) to handle the PPPoE session and DNS.
- Firmware Hygiene: Never assume an LCO-provided router is secure. Check for firmware updates manually on the manufacturer's website, as the ISP's "Auto-Update" feature in India is often non-functional.
- DNS over HTTPS (DoH): Enable DoH in all corporate browsers (Chrome/Edge/Firefox). This encapsulates DNS queries within HTTPS traffic, making it impossible for a compromised router to intercept or redirect the queries without triggering a certificate error.
We also suggest monitoring for unauthorized "Managed DNS" changes via the tshark command to identify high-frequency queries that might indicate a beaconing APT28 C2 channel:
tshark -r traffic.pcap -Y 'dns.flags.response == 0' -T fields -e dns.qry.name | sort | uniq -c | sort -nr | head -n 20This command provides a top-20 list of resolved domains. If api.github.com or outlook.office365.com appears alongside a strange, high-entropy domain (e.g., j9x2k4l1.xyz), you are likely looking at an APT28 C2 channel.
Next Command: nmap -sU -p 53 --script dns-recursion [Router_IP] to verify if your SOHO router is acting as an open resolver, which is a prime target for DNS amplification attacks and hijacking.