UK exposes Russian cyber unit hacking home routers to hijack internet traffic

British security officials warned Tuesday that hackers linked to Russian military intelligence have been exploiting vulnerable internet routers to hijack web traffic and spy on victims, in what authorities described as a broad and ongoing cyberespionage campaign.

Officials said the activity centers on compromising small office and home office routers and similar network devices exposed to the internet, often because of weak security settings or outdated software.

In a technical advisory, experts from the National Cyber Security Centre (NCSC) — part of signals intelligence agency GCHQ — said the hackers have been observed altering router settings to redirect internet traffic through servers under their own control.

The group, widely known as Fancy Bear, BlueDelta and APT28, has been assessed to “almost certainly” be Unit 26165 of Russia’s GRU military intelligence agency — the highest confidence rating used by British intelligence.

Last year, a joint cybersecurity advisory co-sealed by more than 20 intelligence agencies accused the hacking group of being behind attempted digital break-ins at multiple Western logistics providers and technology firms supporting Ukraine.

The United Kingdom previously blamed the group for cyberattacks against the German parliament in 2015 and for an attempted operation against the Organisation for the Prohibition of Chemical Weapons in 2018, linked to efforts to disrupt analysis of a nerve agent used in an attempted assassination on British soil.

The advisory on Tuesday said the group was exploiting a number of TP-Link router models, although no other devices were named. These models are widely sold to consumers and small businesses and are not typically deployed as standard equipment by major internet service providers.

According to the NCSC, APT28 gains access in part by exploiting devices that use the Simple Network Management Protocol (SNMP) with default or weak “community strings,” which act as passwords. Many devices still rely on SNMP version 2, which lacks encryption, allowing attackers to intercept credentials and issue malicious commands remotely.

Once inside a router, the hackers can gather information about connected devices and map networks to identify further targets. They then modify Domain Name System (DNS) settings — which translate website names into IP addresses — enabling what cybersecurity experts call “adversary-in-the-middle” attacks.

This allows attackers to intercept sensitive data, including login credentials and authentication tokens, or redirect users to fraudulent websites.

The advisory also highlighted the group’s use of known software vulnerabilities in network equipment to maintain access and expand their reach.

Officials said the campaign appears opportunistic at first, with attackers scanning widely for vulnerable devices before focusing on targets of intelligence interest.

The NCSC urged organizations to secure management interfaces, restrict or disable SNMP where not required, upgrade to more secure versions of the protocol and apply security updates.

Paul Chichester, the NCSC’s director of operations, said the activity shows how exploited weaknesses in widely used devices can be leveraged by state-backed actors.

“We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice. The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks,” he said.

The disclosure comes as Western officials continue to warn that Russian cyber units are conducting sustained espionage campaigns against governments, infrastructure and organizations linked to Ukraine and its allies.