UK cyber defense authorities have warned that a Russian state-linked hacking group is exploiting poorly secured internet hardware to conduct credential theft and traffic interception.
The National Cyber Security Centre said attackers are compromising widely used “edge devices” such as home and small office routers.
Once accessed, these devices can silently redirect internet traffic through attacker-controlled infrastructure.
The activity has been attributed to APT28, also known as Fancy Bear, Sofacy, or Sednit, which the UK attributes to Russia’s military intelligence service, specifically the GRU’s Military Unit 26165.
London has previously tied the group to cyber espionage campaigns targeting Western institutions, including logistics networks and technology firms.
Hijacking Through DNS
At the center of the operation is the Domain Name System (DNS), which converts human-readable web addresses into machine-readable IP addresses.
By tampering with DNS, attackers can redirect users to fraudulent websites that mimic legitimate platforms, allowing the attackers to capture login credentials such as usernames, passwords, and authentication tokens.
The operation starts broadly, scanning for vulnerable devices, then narrows to targets of intelligence value once access is gained.
Mitigation Measures
Authorities recommend a set of basic mitigation steps to reduce exposure.
These include restricting access to device management interfaces, applying regular firmware and software updates to address known vulnerabilities, and enabling multi-factor authentication to limit the impact of credential theft.
Additional measures include monitoring for unusual DNS changes and ensuring default passwords are replaced with strong, unique credentials.
