AitM attacks can sound abstract until you see what they look like in the real world.
This week, the UK government’s National Cyber Security Centre, writing on ncsc.gov.uk, published an advisory on how APT28 used vulnerable routers to support DNS hijacking and adversary-in-the-middle, or AitM, operations. The point was not just to mess with internet traffic. It was to quietly get in the path of victims logging into email and web services, then steal passwords, tokens, and other useful authentication data.
That matters because it shows something people often miss about AitM attacks. They do not always begin with a sketchy email or an obvious fake login page. Sometimes they begin with a small, forgotten router sitting in a home office or branch network.
What is an adversary-in-the-middle attack?
At a basic level, an adversary-in-the-middle attack happens when an attacker inserts themselves between a user and the service the user is trying to reach.
The victim thinks they are connecting normally. In reality, the attacker has found a way to sit in the middle of that exchange. That can give them a chance to observe traffic, relay it, manipulate it, or capture the data that matters most, especially login credentials and session material.
In practice, that can mean stealing:
- usernames and passwords
- session cookies
- OAuth tokens
- other authentication data tied to email or web services
The important part is that the attacker does not always need to break the service itself. Sometimes they just need to control the route the victim takes to get there.
Why AitM attacks are so effective
AitM works because it attacks trust.
Most users trust that typing a domain name takes them to the right place. They trust their home or office router. They trust that if a login page looks normal and behaves normally, it is probably fine.
Attackers know that. If they can quietly control the traffic path, they can often stay out of sight long enough to collect something valuable.
That is also why AitM attacks are so relevant in modern environments. The target is often not just a password. It is the whole authenticated session. In cloud-first environments, that can mean access to email, SaaS platforms, internal portals, and other systems that rely on tokens and web-based sign-in flows.
What happened in the APT28 campaign?
According to the NCSC advisory, APT28 exploited vulnerable routers and changed their DHCP/DNS settings so devices behind them would use attacker-controlled DNS servers. From there, the actor could selectively tamper with how certain domains were resolved, especially domains linked to email, login portals, and authentication flows.
That is a big deal, because once a router hands out malicious DNS settings, every downstream device can inherit them. Laptops, phones, and other systems may start sending DNS requests to infrastructure the attacker controls without the user noticing.
The reporting also says this was not a blunt-force redirect of all internet traffic. The attackers appear to have been selective. Requests for domains that matched their interests could be pointed toward actor-owned systems, while unrelated traffic was often resolved normally. That kind of selectivity helps the operation stay quiet.
Why DNS hijacking matters here
DNS is the system that translates human-readable domain names into the IP addresses devices actually connect to. Most people never think about it, which is exactly why it is such a useful point of interference.
If an attacker can control your DNS resolution, they can influence where you end up when you try to visit a trusted service. In the APT28 case, the router was the foothold, but DNS was the mechanism that made the AitM operation possible.
That is what makes this kind of attack so uncomfortable. A user can have a perfectly normal-looking laptop and still be at risk if the network path underneath them has been quietly altered.
The router is not the real target
It is easy to hear “router exploitation” and think this is just a networking problem.
The router is just the lever. The real target is identity.
By compromising a router, an attacker can get visibility across multiple devices at once and manipulate the flow of traffic for an entire home office or small business environment. That creates a path to higher-value outcomes like stolen passwords, stolen tokens, mailbox access, and follow-on compromise in cloud services.
That is why this campaign matters beyond the router models involved. It is really about how infrastructure compromise can become credential compromise.
Why this looks like intelligence collection, not random noise
One of the more interesting parts of the UK advisory is that the activity appears to have been opportunistic at first and selective later. In other words, the attackers seem to have cast a wide net by exploiting vulnerable routers, then narrowed their focus as they identified users or organisations of interest.
That fits the pattern of a patient intelligence operation.
The attacker does not need every victim behind every router. They just need enough visibility to spot the people who matter most to them, then quietly collect access from there.
The bigger takeaway on AitM
The phrase “adversary-in-the-middle” can make people think of an old-school network attack from a textbook.
But this APT28 case is a good reminder that AitM is still very real, and it keeps evolving. It can involve home-office gear, vulnerable routers, DNS manipulation, cloud login flows, and token theft. It can happen in a way that feels invisible to the victim.
That is what makes it dangerous. It is not loud. It is not always obvious. And it does not always begin on the endpoint people are watching most closely.
The recent NCSC reporting on ncsc.gov.uk is a useful reminder that cyber attacks do not always start with malware or a fake attachment. Sometimes they start with the quietest part of the network.
AitM attacks matter because they exploit trust in the path between a person and the service they are trying to use. In the APT28 campaign, vulnerable routers and DNS hijacking were the tools. Credential theft and session compromise were the goal.
And that is the real lesson here: sometimes the most important security problem in the room is the little box in the corner that nobody has checked in years.
References
- UK National Cyber Security Centre, “APT28 exploit routers to enable DNS hijacking operations”
https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations