British security officials issued a warning on Tuesday that a hacking team affiliated with Russian military intelligence is leveraging vulnerable home and small-office networking equipment to conduct cyber espionage. These attacks are designed to hijack web traffic, allowing the actors to monitor victims and steal sensitive information.
In a technical advisory, the UK’s National Cyber Security Centre (NCSC) noted that the group modifies router settings to redirect internet traffic through servers under their control. The NCSC, which operates under the UK’s Government Communications Headquarters (GCHQ), stated that its experts have assessed with high confidence that the campaign is being carried out by Unit 26165 of the Russian GRU.
Attack Methods and Vulnerability Exploitation
The hacking group is well-known in the cybersecurity community, operating under aliases such as APT28, Fancy Bear, and BlueDelta. This latest campaign primarily targets a range of TP-Link router models. These devices are often exposed directly to the internet, frequently running outdated software or using weak, default passwords.
According to NCSC analysis, the hackers exploit vulnerabilities in the Simple Network Management Protocol (SNMP) to gain unauthorized access. Many devices still rely on the unencrypted SNMP v2 version, which allows attackers to intercept credentials and issue remote malicious commands. Once a router is compromised, the hackers can map the network topology and gather information on connected devices, ultimately performing "man-in-the-middle" attacks by altering Domain Name System (DNS) settings.
This method allows attackers to intercept login credentials and authentication tokens, or redirect users to fraudulent websites. The NCSC noted that the attackers typically conduct broad scans to identify vulnerable devices before launching targeted strikes against high-value intelligence objectives.
The UK has previously accused the group of involvement in several major cyberattacks, including the 2015 breach of the German Parliament and a 2018 attempt to interfere with the Organisation for the Prohibition of Chemical Weapons’ analysis of nerve agents. Paul Chichester, NCSC Director of Operations, emphasized that this incident underscores how widely used devices can be exploited by state-sponsored actors if they remain unsecured.
"We strongly encourage organizations and network defenders to familiarize themselves with the techniques described in the report and follow the mitigation advice," Chichester said. "The NCSC will continue to expose malicious Russian cyber activity and provide practical guidance to protect UK networks."
To defend against these threats, the NCSC advises organizations to restrict or disable unnecessary SNMP services, upgrade to more secure protocol versions, and ensure that all network hardware is kept up to date with the latest security patches.
