Changeflow GovPing Data Privacy & Cybersecurity APT28 Exploits Routers for DNS Hijacking Attacks
Priority review Guidance Added Final

APT28 Exploits Routers for DNS Hijacking Attacks

Favicon for www.ncsc.gov.uk UK NCSC Alerts & Advisories
Detected April 7th, 2026
Email

Summary

The NCSC published an advisory exposing how Russian state cyber group APT28 compromised vulnerable internet routers to conduct DNS hijacking operations, enabling traffic interception and credential harvesting. The advisory provides mitigation guidance including protecting management interfaces, maintaining updated devices, and implementing two-step verification.

View original document View source feed page

What changed

The NCSC revealed that APT28 (linked to Russia's GRU Military Unit 26165) exploited vulnerable edge devices to hijack DNS traffic, covertly redirecting users to malicious servers to harvest passwords and access tokens from web and email services. The activity is described as opportunistic, with actors casting a wide net before narrowing to targets of intelligence interest.

Organisations and network defenders should review the advisory and implement mitigation measures: protect management interfaces of systems from unauthorized access, ensure devices and software are maintained and kept up-to-date, and enable two-step verification on management interfaces. While no compliance deadline is specified, this represents actionable defensive guidance from the UK's lead cybersecurity authority.

What to do next

  1. Review the NCSC advisory on APT28 DNS hijacking techniques and share with network defenders
  2. Audit router and edge device management interfaces to ensure they are not exposed to the internet
  3. Verify all network devices and firmware are updated to latest versions and enable multi-factor authentication on management interfaces

Source document (simplified)

News Download & print article PDF

UK exposes Russian military intelligence hijacking vulnerable routers for cyber attacks

New advisory warns cyber threat group APT28 have exploited vulnerable edge devices to support malicious operations.

iStock.com/just_super The National Cyber Security Centre (NCSC) – a part of GCHQ – has published a new advisory revealing how Russian cyber actors have compromised commonly used routers, allowing them to covertly reroute users’ internet traffic through malicious servers under their control.

The new advisory warns that Russian state cyber group APT28 has exploited vulnerable internet routers to enable Domain Name System (DNS) hijacking operations, giving the attackers the ability to intercept traffic and harvest login credentials, including passwords and access tokens, from personal web and email services.

DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.

The advisory also notes that the activity is likely opportunistic in nature, with the actor casting a wide net to reach many potential victims, before narrowing in on targets of intelligence interest as the attack develops.

APT28 has previously been linked by the UK to Russia’s GRU 85th Main Special Service Centre (GTsSS), Military Unit 26165.

Paul Chichester, NCSC Director of Operations, said:

This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors.

We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.

The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks.
Organisations and network defenders are encouraged to follow the mitigation advice to effectively protect against DNS hijacking attacks, including protecting the management interfaces of systems, ensuring devices and software are maintained and up-to-date, and setting up two-step verification.

The NCSC has previously called out APT 28 / Unit 26165, also known in open source as Fancy Bear, Forest Blizzard, the Sednit Gang and Sofacy, for deploying a sophisticated malware dubbed AUTHENTIC ANTICS and targeting western logistics entities and technology companies.

Download & print article PDF Share Share Facebook LinkedIn X Copy Link

Published

7 April 2026

Written for

Cyber security professionals Large organisations Public sector

News type

General news

Was this article helpful?


News

7 Apr 2026

APT28 exploit routers to enable DNS hijacking operations

Russian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens.
Blog Post

21 May 2025

Facing the cyber threat behind the headlines

NCSC CEO urges all businesses to face the stark reality of the cyber threat they face, whether in the spotlight or not.
News

26 Jan 2023

UK cyber experts warn of targeted phishing attacks from actors based in Russia and Iran

Advisory highlights techniques used by attackers in spear-phishing campaigns.

Related changes

Favicon for www.ncsc.gov.uk APT28 Exploits Routers to Enable DNS Hijacking Operations
Urgent Apr 07, 2026 UK NCSC Alerts & Advisories Data Privacy & Cybersecurity
Favicon for www.ncsc.gov.uk NCSC Warns of Russia Actors Targeting Messaging Apps
Priority review Apr 01, 2026 UK NCSC Alerts & Advisories Data Privacy & Cybersecurity
Favicon for www.ncsc.gov.uk Critical RCE vulnerability in F5 BIG-IP APM, active exploitation
Urgent Mar 30, 2026 UK NCSC Alerts & Advisories Data Privacy & Cybersecurity
Favicon for egmontgroup.org RFP - Independent IT Security Audit for Egmont Group Secretariat
Routine Apr 07, 2026 Egmont Group News Banking & Finance
Favicon for www.fcc.gov FCC Announces May Cybersecurity Workshops
Routine Apr 07, 2026 FCC Headlines Telecom & Technology
Favicon for www.contractsfinder.service.gov.uk Metropolitan Police Cyber Security Services Contract
Routine Apr 07, 2026 Contracts Finder - Open Opportunities Trade & Sanctions

Source

Favicon for www.ncsc.gov.uk
UK NCSC Alerts & Advisories ncsc.gov.uk/api/1/services/v1/all-rss-feed.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
NCSC
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies Financial advisers
Industry sector
5112 Software & Technology 5170 Telecommunications
Activity scope
Network Infrastructure Security DNS Security Credential Harvesting Defense
Geographic scope
United Kingdom GB

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Network Infrastructure Security Critical Infrastructure Protection State-Sponsored Threats

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 274 Consumer Protection 44 Courts & Legal 361 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 101 Environment 85 Environmental Permits 1 Environmental Regulation 13 Government & Legislation 278 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legislative 1 Pharma & Drug Safety 104 Public Health 3 Securities & Markets 104 Securities Regulation 14 Tax 66 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when UK NCSC Alerts & Advisories publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.