UK NCSC Warns APT28 Is Hijacking Routers for DNS Attacks to Steal Credentials
The UK's National Cyber Security Centre has published an advisory detailing how Russian military intelligence group APT28 is exploiting vulnerable routers to conduct DNS hijacking attacks that intercept login credentials and access tokens.
The UK National Cyber Security Centre (NCSC) has issued a new advisory warning that Russian state-sponsored cyber group APT28 — also known as Fancy Bear, Forest Blizzard, and Unit 26165 — is actively exploiting vulnerable internet routers to conduct Domain Name System (DNS) hijacking operations. The campaign allows the attackers to covertly reroute users' internet traffic through malicious servers under their control, enabling them to intercept login credentials, passwords, and access tokens from personal web and email services.
DNS is the system that translates human-readable domain names into IP addresses. In a DNS hijacking attack, the adversary interferes with this resolution process to silently redirect users to malicious websites designed to steal login details or other sensitive information. The NCSC advisory notes that the activity is likely opportunistic in nature: the attackers cast a wide net to compromise many potential victims before narrowing in on targets of intelligence interest as the attack develops.
APT28 has been linked by the UK to Russia's GRU 85th Main Special Service Centre (GTsSS), Military Unit 26165. The group has a long history of conducting cyber espionage operations against governments, militaries, and technology companies worldwide. The NCSC has previously called out APT28 for deploying sophisticated malware such as AUTHENTIC ANTICS and targeting Western logistics entities and technology companies.
The advisory emphasizes that the attackers are exploiting widely used routers that have not been properly secured or updated. Once compromised, these devices become a persistent foothold for the attackers to manipulate DNS traffic. The NCSC strongly recommends that organizations and network defenders protect the management interfaces of their systems, ensure devices and software are maintained and up-to-date, and enable two-step verification to mitigate the risk of credential theft.
Paul Chichester, NCSC Director of Operations, Director of Operations, said: "This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice."
The advisory is part of the UK government's ongoing efforts to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks. The NCSC continues to work with international partners to disrupt such campaigns and raise awareness of the tactics, techniques, and procedures used by state-sponsored threat actors.
This latest warning underscores the persistent threat posed by state-sponsored groups targeting network infrastructure. DNS hijacking remains a powerful technique because it can bypass many traditional security controls that focus on endpoint protection. Organizations are urged to audit their network devices, apply security patches promptly, and monitor for signs of DNS manipulation to defend against these sophisticated attacks.