Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
An elite unit of Russian military cyber hackers has been observed breaking into routers that are commonly used in the UK, allowing them to covertly reroute users’ internet traffic through malicious servers under their control, the UK’s National Cyber Security Centre has warned.
The NCSC said on Tuesday that Russian state cyber group APT28, a unit of Russian military intelligence, has exploited vulnerable internet routers to enable domain name system (DNS) hijacking operations, giving the attackers the ability to intercept traffic and steal passwords and access tokens from personal web and email services.
The security group named two companies, TP-Link and MikroTik, as being vulnerable to this method.
Paul Chichester, NCSC director of operations, said the findings “demonstrates how exploited vulnerabilities in widely used network devices” can be used by sophisticated cyber hackers, and urged companies and individuals to make sure they protect themselves. The NCSC listed measures that could mitigate the risks, including applying security updates and performing regular antivirus scans.
In this kind of attack, hackers interfere with the DNS process, which is what allows individuals to reach websites by typing familiar addresses. Users can be covertly sent to malicious websites designed to steal login details or other sensitive information.
The NCSC said that the activity is “likely opportunistic in nature,” with the hackers casting a wide net to reach many potential victims before narrowing in on targets of intelligence interest as the attack develops.
APT28 has been involved in some of the most sensational cyber attacks of the past few years. According to the NCSC, it is “almost certainly” the GRU, or Russian military intelligence, Unit 26165. It has been implicated in cyber attacks on the US Democratic National Committee, the German Bundestag and western logistics supporting Ukraine. It is known by a variety of call signs such as Forest Blizzard and Fancy Bear.
TP-Link and MikroTik could not immediately be reached for comment.
TP-Link has previously been identified by US experts as being targeted in major cyber operations by China which were uncovered in 2023 and 2024, the so-called Salt Typhoon and Volt Typhoon operations designed to penetrate the US.
According to a statement on the TP-Link website, the vulnerability of the company’s routers is a “myth”.
“According to publicly available information, Chinese threat actor campaigns, including Volt Typhoon, Salt Typhoon, and Flax Typhoon, have no discernible preference for using TP-Link routers as a vector. These actors have targeted a wide range of routers, from several different manufacturers,” the company statement said.
Last month, the US Federal Communications Commission banned new foreign-made consumer-grade internet routers, saying that they constituted a supply-chain vulnerability.
