Russia’s APT28 behind latest wave of router, DNS attacks • The Register
Russia’s APT28 behind latest wave of router, DNS attacks • The Register
https://www.theregister.com/2026/04/07/russia_fancy_bear_ncsc_router_attack/?tdu003dkeepreading
Publish Date: 2026-04-07 13:02:00
Source Domain: www.theregister.com
The UK’s National Cyber Security Centre (NCSC) has issued a fresh warning about Russia’s ongoing targeting of routers to steal passwords and other secrets.
It said APT28, aka Fancy Bear, a group widely attributed to Russian intelligence (GRU), is exploiting vulnerabilities in small and home office (SOHO) routers and changing their DNS server settings to redirect victims to websites it controls.
In many cases, altering these DNS settings can also cause downstream devices to inherit them, such as laptops and smartphones, exposing them to malicious connections.
Fancy Bear typically reroutes victims searching for commonly visited services such as Outlook to websites under its control. Victims are instead served an Outlook copycat page, into which they unwittingly enter their legitimate credentials to access the service.
TP-Link routers were name-dropped specifically, although Cisco routers were previously caught up in the same activity, which the NCSC has monitored since 2021.
A separate cluster of similar activity targeted MikroTik routers. The NCSC believes many of these were located in Ukraine, and compromising them would allow Russia to gather data with military intelligence value.
Although the DNS hijacking activity has been ongoing for years and was carried out by sophisticated threat actors, the NCSC said it was likely opportunistic rather than singling out high-value individuals for targeting.
Paul Chichester, director of operations at the NCSC, said: “This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors.
“We strongly encourage organizations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.
“The NCSC will continue to expose Russian malicious cyber…
