Russian hackers have stolen government login credentials by hijacking Wi-Fi routers and silently redirecting victims’ internet traffic through servers controlled by Moscow, it has been reported, in a campaign that Western intelligence agencies attribute to Russian military intelligence.
The theft of British government logins, reported by The Telegraph on Sunday, stems from a long-running operation by the hacking group known as APT28 or Fancy Bear, which the UK’s National Cyber Security Centre assesses is almost certainly Unit 26165 of Russia’s GRU. The group compromised thousands of poorly secured home and small office routers, including devices made by MikroTik and TP-Link, and altered their settings so that victims’ web traffic passed through Kremlin-controlled infrastructure, a technique known as DNS hijacking.
Once traffic is flowing through their servers, the hackers can redirect users to convincing spoof versions of login pages and harvest passwords along with the authentication tokens that keep users signed in, allowing the attackers to access accounts without needing two-factor authentication codes. Ukraine’s security service, which took part in the international investigation, said the hackers acted as intermediaries in the online space to collect credentials and emails that would normally be protected by encryption.
Research by Lumen’s Black Lotus Labs identified at least 18,000 victims across around 120 countries, with government departments, law enforcement agencies and email providers among those compromised. The NCSC, which published its attribution in April, described the operations as “likely opportunistic in nature,” with the group casting a wide net before narrowing in on targets of intelligence interest as attacks developed.
The FBI, whose Operation Masquerade sent commands to compromised routers on American soil to evict the Russian presence and reset their settings, said the GRU had indiscriminately compromised a wide pool of victims before “especially targeting information related to military, government and critical infrastructure.” Intelligence and law enforcement services from the US, UK, Ukraine, Poland, Germany, Italy, Canada, Romania and other allies took part in the investigation that exposed the network.
The Telegraph’s reporting indicates British government credentials were among the material taken, with the paper describing the operation as hijacking Wi-Fi systems to transfer secrets to the Kremlin. The government has not published detail on which departments were affected or what the stolen logins provided access to.
Graeme Downie, the Labour MP for Dunfermline and Dollar, told the UK Defence Journal the pattern of Russian activity against the UK now spans every domain. “We’ve now had Russian attacks on the UK on land, through poisonings of British citizens and arson attacks on the Prime Minister’s car, in the air through drone incursions, at sea via threats to sub sea cables and now another cyber attack after involvement in the attack on JLR,” he said.
“The government need to rapidly increase UK preparedness and make sure the public know the impact and costs of these attacks on their daily lives. The public will then demand action to protect them from this ongoing conflict with Russia.”
The campaign adds to a lengthening record of Russian cyber operations against the UK as the NCSC and allies formally attributed the Star Blizzard political interference campaign to the FSB’s Centre 18 in April, targeting parliamentarians across parties, and a New York Times investigation last month attributed the Jaguar Land Rover attack, the most economically damaging hack in British history at an estimated $2.5 billion, to a Russian group, prompting Defence Secretary Dan Jarvis to warn that hostile states had realised the most effective way to attack is by quietly hollowing out the economy rather than through direct military confrontation.
The head of the NCSC, Richard Horne, said in April that the most serious cyberattacks against the UK now come from hostile states including Russia, Iran and China, urging British organisations to prepare for large-scale attacks. Advice published alongside the router attribution urges users and organisations to update firmware, change default passwords, disable remote management interfaces and treat unexpected certificate warnings with suspicion.









