UK exposes Russian military intelligence hijacking vulnerable routers for cyber attacks
Summary
The National Cyber Security Centre (NCSC) has published an advisory revealing that Russian state cyber actors, tracked as APT28 (linked to GRU Unit 26165 / Fancy Bear), have been exploiting vulnerable edge and consumer routers to perform DNS hijacking. By changing DNS settings on compromised devices, the attackers can reroute victims to malicious servers to intercept web and email traffic and harvest credentials and authentication tokens.
The activity appears largely opportunistic — broad, automated compromise of exposed routers followed by narrower targeting where intelligence value is identified. The advisory reiterates mitigation steps: protect management interfaces, keep device firmware and software up to date, and enable two-step verification where possible.
Key Points
- NCSC advisory: APT28 has exploited commonly used routers to enable DNS hijacking and man-in-the-middle operations.
- Compromised DNS can redirect users to malicious sites that harvest passwords and access tokens for web and email accounts.
- The campaign appears opportunistic at scale, then narrows focus to targets of intelligence interest.
- APT28 is linked to Russia’s GRU (Unit 26165) and previously associated with sophisticated tools and espionage campaigns.
- Primary mitigations: secure router management interfaces, apply firmware/software updates, enforce strong admin credentials and two-step verification.
- NCSC encourages organisations and network defenders to read the advisory and implement the practical guidance immediately.
Context and Relevance
Router and edge-device vulnerabilities are an attractive vector for state-backed actors because they provide broad visibility and a way to intercept large volumes of traffic without compromising end-user devices directly. This advisory is significant for home users, small businesses, large organisations and the public sector — anyone relying on consumer or unmanaged network kit. It also fits a wider trend of adversaries weaponising poorly maintained infrastructure rather than only targeting high-value servers.
Why should I read this?
Look — if you run networks, manage IT or care about keeping accounts secure, this is one of those short, useful reads that tells you exactly what the threat is and what to fix. Patch your routers, lock down admin access and switch on two-step verification. Do it now, save yourself a headache later.
Author style
Punchy: this is direct and urgent. For security teams and public-sector IT, the advisory isn’t just interesting — it’s operationally important. If you’re responsible for network hygiene, the mitigations here should be prioritised straight away.