NCSC Issues Alert over Russian Hacker Campaign Targeting SOHO Routers

The UK’s National Cyber Security Centre has linked two fresh campaigns to APT28, the Russian GRU‑backed group better known as Fancy Bear. By compromising small‑office/home‑office (SOHO) routers, the actors gain control of DNS settings, allowing them to reroute traffic through malicious name servers. This enables real‑time man‑in‑the‑middle interception of login pages for popular web and email services, where passwords, OAuth tokens and other credentials are harvested. The technique builds on the group’s long‑standing playbook of exploiting network infrastructure to bypass traditional perimeter defenses.

The group’s earlier intrusions into the German parliament in 2015 and the OPCW in 2018 demonstrate its capability to target high‑value political institutions. Microsoft’s parallel warning confirms the scale of the operation, citing more than 200 compromised organisations and roughly 5,000 consumer devices linked to the malicious DNS infrastructure. The focus on edge devices such as MikroTik and TP‑Link routers reflects a broader shift in cyber‑espionage: attackers favour low‑profile hardware that often escapes rigorous patch management. Once a router is subverted, threat actors can pivot from a single home workstation into corporate networks, amplifying the risk to supply‑chain partners and remote‑workforces that rely on the same broadband equipment.

The NCSC advisory urges organisations to harden router management interfaces, enforce multi‑factor authentication and deploy host‑based intrusion detection. Regular firmware updates and network‑segmentation policies can also limit the blast radius of a compromised device. For businesses with distributed workforces, adopting a zero‑trust model that treats every endpoint as untrusted becomes essential. As state‑sponsored groups continue to weaponise everyday infrastructure, proactive monitoring and rapid patch cycles will be the decisive factors that separate resilient enterprises from vulnerable ones.