The National Cyber Security Centre has issued an urgent alert to UK organisations following the discovery that Russian state-sponsored hackers are exploiting vulnerable routers to hijack DNS systems and steal authentication credentials. The cyber actor known as APT28 has been identified as exploiting vulnerable routers to hijack DNS, enabling adversary-in-the-middle attacks and theft of passwords and authentication tokens. The advisory represents a significant escalation in cyber threats facing British businesses and government agencies as hostile nation-state actors continue to develop sophisticated methods of compromising network infrastructure.
How the APT28 Attack Works
The attack methodology employed by APT28 demonstrates a high level of technical sophistication and strategic planning. By compromising routers that have not been properly secured or updated, the threat actors gain the ability to redirect network traffic through systems under their control. This DNS hijacking technique allows the attackers to position themselves between legitimate users and the services they are attempting to access, creating what security experts call an adversary-in-the-middle scenario. Once in this privileged position, the hackers can intercept sensitive information as it passes through the compromised network infrastructure, including login credentials, authentication tokens, and potentially other confidential data transmitted across the network.
NCSC Response and Recommendations
The NCSC has moved quickly to alert British organisations about the threat and provide guidance on protective measures. The alert advises UK organisations to take action following the identification of APT28 exploiting vulnerable routers as part of their ongoing campaign. Security experts recommend that organisations immediately audit their router infrastructure to identify any devices running outdated firmware or using default credentials. Network administrators should implement strong authentication measures, ensure all firmware is updated to the latest versions, and monitor DNS traffic for any suspicious redirections or anomalies that could indicate compromise.
The Growing Threat from Nation-State Actors
The APT28 campaign is part of a broader pattern of increasingly aggressive cyber operations attributed to Russian state-sponsored groups. These threat actors have historically targeted government agencies, critical infrastructure providers, defense contractors, and organisations involved in policy-making across Western nations. The use of router compromise and DNS hijacking represents an evolution in tactics, moving away from more obvious phishing campaigns toward infrastructure-level attacks that can be harder to detect and provide broader access to target networks. Security researchers note that compromising routers at the network edge allows attackers to maintain persistent access while remaining largely invisible to traditional security monitoring tools that focus on endpoint and application-layer threats.
Impact on UK Organisations
The implications of this threat are substantial for UK organisations across all sectors. Compromised routers can serve as launching points for numerous follow-on attacks, including data exfiltration, ransomware deployment, and further lateral movement within target networks. Authentication tokens stolen through DNS hijacking can provide attackers with legitimate-looking credentials that bypass many security controls, allowing them to access sensitive systems and information without triggering alerts. The advisory comes at a time when many British businesses are already grappling with heightened cyber threats and the challenge of securing increasingly complex network environments that span cloud services, remote workers, and traditional on-premises infrastructure.
Immediate Actions Required
Cybersecurity professionals advise that organisations should treat this alert with the highest priority and implement protective measures immediately. Key steps include conducting comprehensive inventories of all network devices, particularly routers and other edge infrastructure that may not receive the same security attention as servers and workstations. All default passwords should be changed to strong, unique credentials, and multi-factor authentication should be implemented wherever supported by the hardware. Organisations should also review their DNS configurations to ensure traffic is being routed correctly and consider implementing DNS security extensions that can help detect and prevent hijacking attempts. Regular monitoring of router logs for unusual activity or configuration changes can provide early warning of potential compromise.
Broader Cybersecurity Context
This latest warning underscores the evolving nature of cyber threats facing the United Kingdom and the critical importance of maintaining robust security practices across all aspects of network infrastructure. As threat actors continue to develop new techniques and target previously overlooked attack vectors, organisations must adopt a comprehensive approach to cybersecurity that extends beyond traditional perimeter defenses. The NCSC continues to work with international partners to track APT28 activities and provide timely intelligence to help British organisations defend against these sophisticated threats. Security experts emphasize that vigilance, regular security updates, and prompt response to advisory warnings remain essential components of effective cyber defense in an increasingly hostile digital environment.