UK exposes Russian router hijacking for cyber spying

The UK National Cyber Security Centre has revealed that Russian military intelligence operatives have been hijacking commonly used internet routers to intercept web traffic and steal login credentials, the UK Defence Journal understands.

In a new advisory, the NCSC warned that APT28, a cyber group linked to Russia’s GRU Military Unit 26165, has been exploiting vulnerabilities in edge network devices to conduct Domain Name System hijacking operations. DNS is the system that translates website addresses into the numerical IP addresses computers use to connect, and by tampering with this process, attackers can covertly redirect users to malicious sites designed to harvest passwords and access tokens from personal web and email services.

The NCSC noted that the activity appears to be opportunistic in nature, with the group initially casting a wide net before narrowing its focus to targets of intelligence interest.

Paul Chichester, NCSC Director of Operations, was quoted as saying: “This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors.”

He added: “We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.”

The advisory recommends that organisations protect the management interfaces of their systems, keep devices and software up to date, and enable two-step verification.

APT28, also known in open-source reporting as Fancy Bear, Forest Blizzard, and Sofacy, has been repeatedly called out by Western governments for malicious cyber activity. The NCSC has previously attributed operations involving sophisticated malware and targeting of Western logistics and technology companies to the same group. The advisory is aimed at cyber security professionals, large organisations, and public sector bodies across the UK.