The UK's National Cyber Security Centre (NCSC) has issued a warning that APT28, the notorious Russian hacking group also known as "Fancy Bear," is actively targeting Small Office/Home Office (SOHO) routers to harvest user passwords and confidential data.
According to NCSC investigations, APT28 maintains close ties to Russia's military intelligence agency, the GRU. The group exploits known vulnerabilities in routers to forcibly alter their DNS server configurations. Once the attack succeeds, victims attempting to access common services like Outlook are redirected to phishing sites controlled by the hackers. When users enter their login credentials into these fraudulent pages, the information is captured directly by the attackers.
The Scale of Attacks Continues to Grow
Beyond the routers themselves, downstream devices connected to the network—such as laptops and smartphones—are also at risk as they inherit the compromised DNS settings. In a concurrent report, Microsoft noted that the group has recently compromised approximately 200 organizations, affecting over 5,000 devices. Microsoft, which tracks the group as "Forest Blizzard," believes the attackers are using these upstream router penetrations as a springboard to gain access to larger corporate networks.
NCSC monitoring records indicate that this campaign began in 2021. While early attacks primarily targeted Cisco routers, recent activity has increasingly involved TP-Link devices. Furthermore, there has been a surge in attacks against MikroTik routers, with a significant number of affected devices located in Ukraine, suggesting that the collection of military intelligence is a primary objective.
Although the victim pool is broad, the NCSC characterizes these DNS hijacking attacks as "opportunistic" rather than targeted strikes against high-value entities. The hackers are leveraging widely known device vulnerabilities rather than sophisticated zero-day exploits.
Paul Chichester, NCSC Director of Operations, stated: "This activity shows that vulnerabilities in widely used network equipment are easily exploited by hostile actors. We strongly urge organizations and network security defenders to familiarize themselves with the techniques described in our advisory and to strictly follow the mitigation guidance provided."
Currently, the NCSC is continuing to track this malicious activity and providing defensive guidance to networks across the UK. Experts advise that device owners should update their router firmware immediately and check their DNS settings for signs of unauthorized tampering.