NCSC warns of Russian-linked hackers hijacking home and business routers

The activity enables attackers to intercept sensitive data

The UK has accused Russian military intelligence-linked hackers of exploiting vulnerable internet routers to carry out cyberattacks, in a new advisory issued by the National Cyber Security Centre (NCSC).

The NCSC alert, published yesterday, says the group known as APT28 has been compromising widely used network devices to reroute internet traffic through servers under its control. Officials say the activity enables attackers to intercept sensitive data, including passwords and access tokens, from email and web services.

According to the NCSC, the hackers are using a technique known as Domain Name System (DNS) hijacking.

DNS acts as the internet's directory, translating familiar website names into numerical IP addresses. By interfering with this process, attackers can silently redirect users to fraudulent websites designed to harvest login credentials.

The advisory suggests the campaign is "opportunistic", with attackers targeting large numbers of devices before narrowing their focus to individuals or organisations of intelligence interest.

Long-running cyber threat

APT28 has been active for more than a decade and has previously been linked by UK authorities to Russia's military intelligence agency, specifically Unit 26165.

Also known by aliases such as Fancy Bear and Sofacy, the group has been associated with cyber espionage campaigns targeting governments, military organisations and technology firms. In earlier incidents, it was accused of deploying advanced malware and conducting operations against Western logistics and technology sectors.

Paul Chichester, the NCSC's Director of Operations, said the latest findings highlighted how everyday technology could be exploited.

"This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors," he said.

"We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice."

The NCSC has urged businesses and individuals to take steps to protect their systems.

Key recommendations include securing management interfaces, so they are not exposed to the internet, regularly updating software and devices, and implementing multi-factor authentication to reduce the impact of stolen passwords.

The agency also advises organisations to monitor networks for suspicious activity and consider using intrusion detection systems to identify potential breaches.

Rise in cyber threats

In October, the NCSC reported a sharp rise in cyber threats in its annual review, warning that incidents had reached a nine-year high, with a significant increase in the most serious attacks.

The period up to August 2025 saw the highest level of cyber activity recorded by the agency in nearly a decade. During that time, the NCSC responded to 204 nationally significant cyber incidents, more than double the 89 recorded the previous year.

Out of 429 total incidents handled, 18 were classified as "highly significant" — meaning they posed a serious risk to essential services.

The NCSC said state-backed threats continue to originate primarily from China, Russia, Iran and North Korea, with much of the recent surge driven by ransomware attacks.

The government ministers joined the NCSC and the National Crime Agency (NCA) in issuing an open letter to senior leaders of major UK firms, including all members of the FTSE 350. The letter warned that the scale, pace and sophistication of cyber threats now require an "urgent collective response" to safeguard national and economic security.