Russian Cyber Unit Hijacks Home Routers to Snoop on Global Web Traffic, UK Warns

Picture this: your home or office Wi-Fi router, silently rerouted by a foreign intelligence agency, becomes a secret gateway for spies to eavesdrop on your emails, passwords, and confidential documents. This isn’t a scene from a cyber-thriller - according to the UK’s National Cyber Security Centre (NCSC), it’s a growing reality as Russian state-backed hackers ramp up attacks on everyday internet infrastructure.

Fast Facts

• APT28, linked to Russian military intelligence, is hijacking consumer routers to redirect internet traffic through attacker-controlled servers.
• The campaign exploits known vulnerabilities in brands like TP-Link and MikroTik, targeting both individuals and organizations of intelligence value.
• By manipulating DNS settings, attackers intercept web and email traffic, harvesting passwords and authentication tokens.
• Compromised routers serve as scalable entry points for espionage, credential theft, and further cyber operations.
• The NCSC urges immediate action: patch devices, secure interfaces, and monitor for signs of compromise.

The Anatomy of a Router Hijack

The NCSC’s latest advisory reads like a blueprint for digital subterfuge. Known variously as APT28, Fancy Bear, or Forest Blizzard, the Russian General Staff’s 85th Main Special Service Centre is accused of systematically scanning the internet for exposed routers - especially popular small office/home office (SOHO) models. Once an exploitable device is found, the attackers use public vulnerabilities (such as CVE-2023-50224 in TP-Link routers) to quietly seize control.

The operation is two-pronged. First, the hackers use specially crafted HTTP requests to extract admin credentials from the router. With these in hand, they alter DNS and DHCP settings, rerouting all future web and email queries through servers they control. Sometimes, both the primary and secondary DNS are set to malicious addresses, suggesting repeated compromises.

The scale is staggering: the attackers have reportedly configured entire fleets of rented virtual private servers (VPSs) to handle DNS requests from compromised routers, selectively intercepting only the traffic most valuable for espionage - like corporate login pages or email services. In targeted cases, especially in Ukraine, the attackers engage in real-time “adversary-in-the-middle” attacks to actively steal credentials as users log in.

This method is uniquely insidious. Unlike phishing or malware, users may never notice anything amiss - their devices inherit the malicious DNS settings automatically, and only certain sensitive traffic is redirected. The attackers’ infrastructure is modular, making their campaign highly scalable and difficult to trace.

Defensive Lines: What Can Be Done?

The NCSC’s message is clear: the best defense is vigilance and modernization. Secure router management interfaces, keep firmware updated, and never expose administrative panels to the public internet. Organizations should adopt network architectures that limit privileged access, deploy application allowlisting, implement multi-factor authentication, and foster a culture where suspicious activity is swiftly reported and investigated.

With similar alerts from U.S. agencies and a renewed focus on encrypted DNS protocols, the stakes are higher than ever. As cyber conflict moves from the datacenter to the living room, everyone - from IT administrators to home users - must treat their routers as frontline assets in the ongoing battle for digital security.

Reflections

The silent compromise of home routers by sophisticated nation-state actors is no longer a hypothetical risk. In a world where every device is a potential espionage tool, proactive defense and cyber hygiene are not just best practices - they’re essential for safeguarding personal and national security.

WIKICROOK

• APT28: APT28, or Fancy Bear, is a Russian state-backed hacking group known for cyber-espionage against Western governments and organizations.
• DNS Hijacking: DNS Hijacking is when attackers secretly alter DNS settings, redirecting users to fake or harmful websites without their knowledge to steal data or spread malware.
• Adversary: An adversary is any person or group attempting to breach computer systems or data, often for malicious purposes like theft or disruption.
• Virtual Private Server (VPS): A Virtual Private Server (VPS) is a rented online server with dedicated resources, often used for hosting websites or apps, requiring regular security updates.
• Firmware: Firmware is specialized software stored in hardware devices, managing their core operations and security, and enabling them to function properly.