Britain's National Cyber Security Centre (NCSC) has issued an urgent warning after exposing a sophisticated campaign by APT28 — a hacking group linked to Russian military intelligence — that has been hijacking vulnerable routers to intercept internet traffic on a massive scale.
The advisory, published on 9 April 2026, reveals that the group, also known as Fancy Bear and operating under Russia's GRU military intelligence directorate, has been exploiting unpatched routers belonging to businesses, government agencies, and critical infrastructure providers across the UK and allied nations.
By compromising these devices, the attackers were able to perform DNS hijacking — redirecting internet traffic through servers under their control — enabling them to intercept sensitive communications, steal credentials, and conduct long-term espionage without detection.
The NCSC said the campaign had been active for several years and targeted organisations across multiple sectors, including defence, energy, finance, and government. The agency urged all organisations to immediately apply firmware updates to their routers and review network configurations for signs of compromise.
Paul Chichester, NCSC Director of Operations, said: 'This advisory lays bare the lengths to which Russian military intelligence will go to conduct indiscriminate and opportunistic cyber operations globally. We urge all organisations to take immediate action to secure their network devices.'
The warning was issued jointly with cybersecurity agencies from the United States, Germany, France, and other NATO allies, underscoring the international scope of the threat. The UK government said it held Russia's GRU directly responsible for the campaign and called on Moscow to cease its malicious cyber activities.
Security experts have warned that many organisations continue to run routers with outdated firmware, leaving them exposed to well-documented vulnerabilities that APT28 has been systematically exploiting. The NCSC's advisory includes detailed technical indicators of compromise to help network defenders identify whether their infrastructure has been affected.
