NCSC Warns of Russian Military Intelligence Hijacking Vulnerable Routers to Steal Global Data
NCSC warns Russian APT28 hackers are exploiting routers to redirect traffic and steal Microsoft tokens. Learn the tactics and how to secure your network.
By: AXL Media
Published: Apr 8, 2026, 7:48 AM EDT
Source: Information for this report was sourced from the National Cyber Security Centre (NCSC-UK)
The Exploitation of Network Infrastructure
The UK National Cyber Security Centre (NCSC) has exposed a sophisticated campaign by the Russian military intelligence group APT28, also known as Fancy Bear or Forest Blizzard, targeting widely used network devices. According to the advisory released on Tuesday, the group is leveraging known vulnerabilities in routers to gain unauthorized access and modify core system configurations. By overwriting Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings, the hackers effectively take control of the "directory" that guides a user’s internet traffic, allowing them to redirect victims to malicious infrastructure without their knowledge.
Adversary-in-the-Middle Credential Theft
Once a router is compromised, APT28 employs an Adversary-in-the-Middle (AitM) technique to intercept unencrypted data. The NCSC reports that the actors have configured Virtual Private Servers (VPSs) to act as malicious DNS servers, which resolve requests for legitimate services—such as email login pages and cloud-hosted content—to IP addresses controlled by the GRU. This enables the theft of high-value authentication data, including passwords and OAuth tokens for Microsoft and web-based email services. Microsoft confirmed that while consumer devices were targeted, its own company-owned assets remained secure during the operation.
Opportunistic Targeting and Narrowing Focus
The campaign is described by intelligence officials as "opportunistic" in nature, with the hackers initially "casting a wide net" over a broad range of potential victims. After gaining visibility into a massive pool of candidate targets, the group triages the victims to identify those of high intelligence value, such as government entities, military organizations, and critical infrastructure providers. Recent investigations, supported by the FBI and the US Department of Justice, identified that over 18,000 devices globally were potentially affected before law enforcement successfully remediated a significant portion of the network in the United States.
Categories
Topics
Related Coverage
- Global Cyber Task Force Disrupts GRU Operation Hijacking Private Wi-Fi Routers for Espionage
- FCC Implements Nationwide Ban On Foreign Produced Wi-Fi Routers Citing Escalating National Security Threats
- Benue State APC Commences Form Issuance And Verification Process For Legislative House Aspirants
- Delta State Police Deny Rumors Of Missing Remains Following Viral Execution Of Singer Mene Ogidi