The UK's National Cyber Security Centre (NCSC) has issued a critical advisory, revealing that elite Russian state-linked hackers are actively breaking into internet routers commonly used across Britain. This sophisticated cyber operation involves covertly rerouting users' internet traffic through malicious servers under the hackers' control, posing a severe threat to personal data security.
DNS Hijacking Exploits Vulnerable Routers
According to the NCSC, the hacker group APT28, which is linked to Russian military intelligence, has been exploiting vulnerabilities in routers to enable Domain Name System (DNS) hijacking operations. The DNS process, which allows users to access websites by typing familiar addresses, is being interfered with to secretly redirect users to malicious websites designed to steal login credentials, passwords, and access tokens from personal web and email services.
Opportunistic Attacks with Targeted Focus
The security group described this activity as "likely opportunistic in nature," with the hackers initially casting a wide net to reach many potential victims. As the attack develops, they then narrow in on specific targets of intelligence interest, making it a dual-phase threat that combines broad infiltration with precise targeting.
Paul Chichester, NCSC director of operations, emphasized the severity of the situation, stating: "This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice."
Protective Measures and Mitigation Strategies
In response to this escalating threat, the NCSC has listed several measures to help protect users against DNS hijacking attacks. Key recommendations include applying all available security updates promptly and setting up two-step verification for enhanced account security. These steps are crucial for both individual users and organisations to mitigate the risk of data theft and unauthorized access.
APT28's Notorious Cyber History
APT28, also known in open source as Fancy Bear, Forest Blizzard, the Sednit Gang, and Sofacy, has a well-documented history of involvement in high-profile cyber attacks over the past few years. The group has been linked to attacks on the US Democratic National Committee, the German Bundestag, and various western logistics and technology organisations, including those providing aid to Ukraine.
According to the NCSC, the group is "almost certainly" the GRU, or Russian military intelligence, Unit 26165. This connection underscores the state-sponsored nature of these cyber operations, which are part of a broader malicious campaign targeting both public and private sectors.
Ongoing Campaign Against Western Interests
In an advisory published in May 2025, the NCSC and partners from ten countries revealed detailed insights into APT28's "malicious cyber campaign" against organisations since 2022. The unit has specifically targeted entities involved in the co-ordination, transport, and delivery of support to Ukraine, as well as sectors including defence, IT services, maritime, airports, ports, and air traffic management systems across multiple NATO member countries.
This latest warning highlights the persistent and evolving threat posed by Russian cyber actors, who continue to exploit technological vulnerabilities to compromise national security and personal privacy. The NCSC's advisory serves as a urgent call to action for enhanced cyber vigilance and proactive defence measures across the UK.
