UK intelligence exposes GRU unit 26165 using router DNS manipulation to harvest credentials at scale
The UK's National Cyber Security Centre published a detailed advisory revealing how Russian state-sponsored hackers are compromising routers to intercept internet traffic and steal passwords from government and critical infrastructure organizations. The NCSC advisory details how APT28, linked to Russia's GRU military intelligence unit 26165, overwrites DHCP and DNS settings to redirect traffic through attacker-controlled servers.
The technique enables adversary-in-the-middle attacks that harvest passwords, OAuth tokens, and other authentication credentials. The campaign targets vulnerable routers across government networks and critical infrastructure, allowing long-term persistent access to sensitive communications.
Organizations should verify router configurations, monitor for unexpected DNS changes, and enforce multi-factor authentication to mitigate credential theft risks from this campaign.
Sources
APT28 Exploits Routers to Enable DNS Hijacking Operations
APT28 Exploits Routers for DNS Hijacking Attacks
More from Data Privacy & Cybersecurity Browse all →
Adobe Acrobat Zero-Day Under Active Exploitation, Three Agencies Warn
April 18, 2026
CISA Warns Critical ICS Flaws Expose SQL Credentials in Mitsubishi, ICONICS Products
April 13, 2026
Six Agencies Warn of Iranian Hackers Targeting US Industrial Controls
April 11, 2026
CISA Warns of Actively Exploited Fortinet Vulnerability Affecting Enterprises
April 10, 2026
Get the briefing in your inbox
The top regulatory stories, delivered daily. No noise.
Free. Unsubscribe anytime.