The National Cyber Security Centre has issued an urgent warning to UK organisations after discovering that Russian state-sponsored cyber actors are exploiting vulnerable routers to conduct sophisticated DNS hijacking operations. The alert comes as part of a coordinated international response to what security experts describe as an adversary-in-the-middle attack campaign designed to steal passwords and authentication tokens from targeted networks across the United Kingdom and allied nations.
Advanced Persistent Threat Group Exploits Network Infrastructure
The cyber campaign has been attributed to APT28, a notorious Russian state-sponsored hacking group that has been actively targeting critical infrastructure and government networks for years. According to the NCSC advisory released in early April 2026, the threat actors are leveraging security weaknesses in enterprise and consumer routers to redirect Domain Name System traffic through attacker-controlled servers. This technique allows the hackers to position themselves between legitimate users and their intended online destinations, effectively creating an invisible surveillance point where sensitive credentials and authentication data can be harvested without detection.
How the DNS Hijacking Attack Works
The attack methodology represents a significant escalation in the sophistication of state-sponsored cyber operations targeting British organisations. When successful, the DNS hijacking allows APT28 operatives to intercept and manipulate internet traffic at the most fundamental level of network communications. Domain Name System services act as the internet directory that translates human-readable website addresses into the numerical IP addresses that computers use to communicate. By compromising this essential function through vulnerable routers, the Russian cyber actors can redirect users to malicious servers without raising immediate suspicion, as the web addresses appear legitimate to end users.
Widespread Implications for UK Cyber Defence
The NCSC has emphasised that this threat affects a broad range of UK organisations, from small businesses to large enterprises that rely on vulnerable router hardware for their network infrastructure. Security researchers have noted that many routers, particularly older models or those that have not received recent firmware updates, contain exploitable vulnerabilities that APT28 has weaponised for this campaign. The stolen passwords and authentication tokens can subsequently be used to gain unauthorised access to corporate networks, government systems, email accounts, cloud services and other protected resources, potentially leading to data breaches, espionage operations or the deployment of additional malware.
International Coordination Against Cyber Threat
The advisory represents a collaborative effort between the NCSC and its international partners to alert organisations and individuals about the ongoing threat. Alongside the UK agency, cybersecurity organisations from multiple allied nations have contributed intelligence and threat analysis to understand the full scope of the APT28 operation. This coordinated response reflects the growing recognition among Western intelligence and security agencies that state-sponsored cyber threats require multinational cooperation to effectively detect, disrupt and mitigate. The sharing of threat intelligence and attack indicators allows organisations across multiple countries to strengthen their defences against common adversaries operating at scale.
Recommended Security Measures for Organisations
In response to the threat, the NCSC is urging UK organisations to take immediate action to secure their network infrastructure. Primary recommendations include ensuring all routers and network equipment are running the latest firmware versions with all available security patches applied. Organisations should conduct thorough audits of their router configurations to identify any unauthorised changes to DNS settings that might indicate compromise. Additionally, the implementation of strong authentication mechanisms, network segmentation and continuous monitoring of DNS traffic patterns can help detect and prevent these types of adversary-in-the-middle attacks before credentials are compromised.
Broader Context of Russian Cyber Operations
This DNS hijacking campaign is part of a broader pattern of aggressive cyber activity attributed to Russian state actors targeting UK interests. APT28, also known by various other names in the cybersecurity community, has been linked to numerous high-profile cyber espionage and disruption operations over the past decade. The group has demonstrated consistent technical capabilities and access to significant resources that enable sustained campaigns against Western governments, critical infrastructure providers, defence contractors and private sector organisations. The current router exploitation campaign showcases the threat actors continuing evolution in tactics, moving beyond traditional phishing and malware distribution to compromise fundamental internet infrastructure components.
Impact on Password Security and Authentication
The theft of authentication tokens represents a particularly serious dimension of this cyber threat. Modern authentication systems increasingly rely on tokens rather than passwords alone to verify user identity, with these tokens often providing access to multiple services through single sign-on systems. When APT28 operatives successfully intercept these credentials through DNS hijacking, they can potentially bypass even sophisticated security measures including multi-factor authentication in certain configurations. Organisations must therefore assume that credentials intercepted through these means may already be compromised and should implement credential rotation policies, enhanced monitoring of authentication patterns and zero-trust security architectures that assume network traffic may be hostile.
Long-term Implications for UK Cybersecurity
The revelation of this campaign underscores the persistent and evolving nature of state-sponsored cyber threats facing UK organisations. As businesses and government agencies continue to digitalise their operations and rely more heavily on internet-connected systems, the attack surface available to sophisticated threat actors continues to expand. The NCSC warning serves as a reminder that cybersecurity cannot be treated as a one-time investment but requires ongoing vigilance, regular security updates and adaptive defence strategies that anticipate new attack vectors. Organisations that fail to maintain current security standards on all components of their network infrastructure, including often-overlooked devices like routers, risk becoming entry points for advanced persistent threats that can compromise not only their own systems but potentially those of partners, suppliers and customers throughout their digital ecosystem.