On April 7, 2026, the UK’s National Cyber Security Centre (NCSC) issued a technical advisory regarding a new campaign by the Russian hacking group APT28. The group, which British intelligence links with high confidence to Russia’s military intelligence service, is exploiting vulnerabilities in home and office routers to intercept internet traffic and steal user credentials.
The hackers compromise routers—particularly TP-Link and MikroTik models—by altering DHCP and DNS settings. As a result, all user traffic is redirected through attacker-controlled DNS servers hosted on virtual infrastructures. This enables “adversary-in-the-middle” attacks, allowing the interception of passwords, Microsoft Office authentication tokens, and other sensitive data, bypassing two-factor authentication
According to NCSC and Black Lotus Labs (Lumen) researchers, the campaign is broad and opportunistic: attackers first infect thousands of routers worldwide, then select their most interesting espionage targets. The operation affects both individual users and organizations. The group previously shifted its tactics after earlier NCSC warnings—from targeted malware attacks to mass DNS configuration manipulation.
NCSC protection recommendations:
Update router firmware to the latest versions and apply all available patches.
Disable or strictly limit remote access to router management interfaces.
Change default passwords and SNMP community strings.
Use modern router models and avoid outdated devices (many vulnerable TP-Link routers have reached end of life and no longer receive updates).
Organizations should monitor network traffic for suspicious DNS requests and implement network segmentation measures.
NCSC Operations Director Paul Chichester stressed that such activity demonstrates how vulnerabilities in common networking devices can be exploited by sophisticated hostile actors for large-scale spying.
The advisory was issued amid growing concern among Western intelligence agencies over cyber threats originating from Russia. Both individuals and companies are urged to check their routers immediately and follow NCSC’s official guidance.