Question of the Day
One question per day to look beyond the headlines.
Why do APT28 router DNS hijacks turn “TLS is safe” into a credential-harvesting advantage?
Take-away DNS hijack moves the attack below TLS: by controlling name→IP resolution, attackers proxy “valid” TLS to steal OAuth tokens and creds without endpoint malware.
APT28, also known as Fancy Bear, achieves credential harvesting by exploiting vulnerabilities in home and small office routers, allowing them to hijack DNS settings. This redirects internet traffic to attacker-controlled DNS servers, enabling Adversary-in-the-Middle (AiTM) attacks on TLS connections. These attacks allow APT28 to intercept OAuth tokens from Microsoft Office without installing malware, effectively turning a normally secure TLS session into an opportunity for credential theft. By manipulating DNS settings, they can redirect users to spoofed websites that harvest credentials despite the TLS layer typically being considered secure [1], [2], [3].
- Russia Hacked Routers to Steal Microsoft Office Tokens – Krebs on Security krebsonsecurity.com (opens in new tab)
- Russian government hackers broke into thousands of home routers to steal passwords | TechCrunch techcrunch.com (opens in new tab)
- Russia's APT28 behind latest wave of router, DNS attacks • The Register theregister.com (opens in new tab)