SOC Incident Toolkit
Back to Campaigns
Forest Blizzard's DNS Hijacking Campaign: How APT28 Turned 18,000 Routers Into a Spy Network

Forest Blizzard's DNS Hijacking Campaign: How APT28 Turned 18,000 Routers Into a Spy Network

Forest BlizzardAPT28Fancy BearStorm-2754GRU DNS HijackingAiTMOAuthToken TheftSOHO Router CompromiseTLS InterceptionCyberespionageState-Sponsored

Russian military intelligence group Forest Blizzard (APT28) has been silently compromising over 18,000 SOHO routers — without deploying a single line of malware — by hijacking DNS settings to intercept Microsoft OAuth tokens and spy on governments, telecoms, and energy sectors worldwide. This campaign exposes a critical blind spot in enterprise security: the unmanaged home router sitting between your remote workforce and your cloud infrastructure.

Indicators of Compromise

Domains (5)

outlook.office.comoutlook.office365.comimap-mail.outlook.comautodiscover-s.outlook.comoutlook.live.com

APT Groups

APT 28

RU

Notes

<span id="docs-internal-guid-6595dfc2-7fff-258c-1e76-95e4b4635882"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION</span></h2><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Forest Blizzard's DNS hijacking campaign is not a story about sophisticated zero-days or novel malware — it is a story about patience, scale, and the exploitation of infrastructure that most organizations have forgotten exists. By silently compromising over 18,000 SOHO routers without deploying a single line of malicious code, Russia's GRU demonstrated that the most dangerous attacks don't always trigger an alert. They simply redirect your DNS and wait.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments — and this campaign impacted over 200 organizations and 5,000 consumer devices across government, IT, telecommunications, and energy sectors worldwide. The implications are clear: your enterprise perimeter now starts at your remote employee's living room router.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">What makes this campaign particularly alarming from a threat intelligence perspective is its evolution. After the NCSC's August 2025 report exposed an earlier, more targeted phase of the operation, Forest Blizzard didn't retreat — it scaled. The day after that report was released, the group pivoted to a mass DNS poisoning approach, transforming a surgical tool into a global surveillance dragnet. This is the behavioral signature of a mature, state-backed actor with the resources and agility to adapt in real time.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">For defenders, the lesson is stark: perimeter hardening, patching cadence, and MFA enforcement are necessary but not sufficient when the attack surface includes every unmanaged device connecting your workforce to the cloud. Organizations that lack continuous visibility into credential exposure, dark web activity, and threat actor infrastructure are operating blind against an adversary that sees everything passing through a compromised router — including your OAuth tokens, your email traffic, and your authentication flows.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">This is precisely where proactive threat intelligence becomes mission-critical. APT28 / Forest Blizzard is not a new actor — its activity has been observed since at least the mid-2000s, with operations spanning Europe, North America, and regions tied to Russia's strategic interests, consistently targeting government institutions, diplomatic bodies, defense organizations, and NATO-linked entities. Understanding how this group evolves, pivots, and targets is not optional for any organization operating in sectors it has historically compromised.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">SOCRadar's</span><a href="https://socradar.io/blog/dark-web-profile-apt28/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></a><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/blog/dark-web-profile-apt28/">Dark Web Profile: APT28</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/blog/dark-web-profile-apt28/"> </a>provides an in-depth breakdown of the group's full TTP matrix, historical campaigns, targeting patterns, and active indicators — giving security teams the contextual intelligence needed to hunt, detect, and respond to Forest Blizzard activity before it reaches your network. From credential exposure monitoring to attack surface visibility and real-time threat actor tracking, SOCRadar's Extended Threat Intelligence platform is built for exactly this threat landscape.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The question is no longer whether APT28 is targeting your sector. The question is whether you have the visibility to know when it already has.</span></p><p style="line-height:1.38;margin-left: 30pt;margin-right: 30pt;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Read the full APT28 threat actor profile and explore SOCRadar's intelligence capabilities:</span><a href="https://socradar.io/blog/dark-web-profile-apt28/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> </span></a><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/blog/dark-web-profile-apt28/">https://socradar.io/blog/dark-web-profile-apt28/</a></span></p><div><br></div></span>

Mitigation

<span id="docs-internal-guid-1bda6566-7fff-7719-73b3-2af50015d1b3"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION </span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations">REF</a></span></h2><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col></colgroup><tbody><tr style="height:25.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 2.4999975pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 2.4999975pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ID</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 2.4999975pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 2.4999975pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Procedure</span></p></td></tr><tr style="height:38.25pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 2.4999975pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 2.4999975pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1190/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(43, 112, 185); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1190</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 2.4999975pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exploit Public-Facing Application</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 2.4999975pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">APT28 exploited vulnerabilities in internet facing routers.</span></p></td></tr><tr style="height:37.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credential Access</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1557/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(43, 112, 185); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1557</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Adversary-in-the-Middle</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">APT28 conducted AitM attacks to gather account credentials.</span></p></td></tr><tr style="height:37.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1583/002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(43, 112, 185); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1583.002</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Acquire Infrastructure: DNS Server</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">APT28 operated malicious DNS servers to conduct DNS hijacking activities.</span></p></td></tr><tr style="height:52.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1583/003/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(43, 112, 185); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1583.003</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Acquire Infrastructure: Virtual Private Server</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">APT28 used VPS infrastructure to host malicious DNS servers for conducting DNS hijacking activities.</span></p></td></tr><tr style="height:37.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1584/008/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(43, 112, 185); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1584.008</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Compromise Infrastructure: Network Devices</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">APT28 compromised routers to enable their DNS hijacking activity.</span></p></td></tr><tr style="height:37.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1586/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(43, 112, 185); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1586</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Compromise Accounts</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">APT28 used DNS hijacking and AitM techniques to gather account credentials.</span></p></td></tr><tr style="height:37.5pt;"><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1588/006/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(43, 112, 185); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1588.006</span></a></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Obtain Capabilities: Vulnerabilities</span></p></td><td style="border-left:solid #000000 0.8333325pt;border-right:solid #000000 0.8333325pt;border-bottom:solid #000000 0.8333325pt;border-top:solid #000000 0.8333325pt;vertical-align:top;background-color:#efefef;padding:3pt 7pt 3pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.68;margin-top:27pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> APT28 used public vulnerabilities to exploit router</span></p></td></tr></tbody></table></div></span>