British internet routers are under sustained attack from Russian state-linked cyberspies, according to security experts. The notorious hacking group APT28, also known as Fancy Bear, has been targeting vulnerable routers across the UK for approximately two years to harvest intelligence and sensitive personal data.
Exploitation of Router Vulnerabilities
The hackers, associated with Russia's GRU military intelligence agency, are exploiting weaknesses in commonly used internet routers. This activity allows them to redirect internet traffic, enabling the theft of email login passwords and other confidential information from unsuspecting users.
Techniques and Targets
APT28 has been hijacking the domain name system (DNS), deceiving internet users into visiting malicious websites disguised as legitimate ones. Initially focusing on high-risk individuals and organisations, the group has now expanded its operations to potentially target the general public.
Paul Chichester, NCSC director of operations, stated: "This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice."
Historical Context and Global Impact
APT28, which stands for Advanced Persistent Threat, gained notoriety for hacking the Democratic National Committee servers during the 2016 US election campaign. The group is also known by aliases such as Unit 26165, Forest Blizzard, Pawn Storm, the Sednit Gang, and Sofacy.
International Incidents
Recent activities attributed to APT28 include:
- Cyberattacks on Germany's air traffic control authority and disinformation campaigns ahead of the 2024 federal election, leading to Russia's ambassador being summoned.
- Hijacking traffic intended for a Nigerian government website and targeting Apple devices.
- Influencing attempts on the US presidential election through stolen Democratic Party emails, as reported by multiple US intelligence agencies.
Response and Mitigation Measures
The National Cyber Security Centre (NCSC) has issued a series of protective measures, emphasising the use of modern devices and regular updates. In January, GCHQ highlighted persistent targeting of UK organisations, particularly local government and critical infrastructure operators, urging improved cyber resilience.
Broader Campaigns
Since Russia's invasion of Ukraine, APT28 has also focused on Ukrainian targets, including military personnel. A joint investigation with allies like the US, Germany, and France revealed a malicious cyber campaign targeting entities involved in delivering foreign assistance to Ukraine.
Specific targets have included:
- Organisations supplying defence, IT services, and logistics support.
- Internet-connected cameras at Ukrainian borders monitoring aid shipments, with around 10,000 cameras accessed near military installations and rail stations.
- Legitimate municipal services, such as traffic cameras, used to track material movements into Ukraine.
The group has also been linked to leaking World Anti-Doping Agency data, underscoring its extensive and disruptive capabilities. The NCSC continues to expose Russian malicious cyber activity and provide practical guidance to safeguard UK networks.
