The UK official National Cyber Security Centre (NCSC) – a part of the security agency GCHQ – has published a new advisory about how Russian cyber actors have compromised commonly used routers, allowing them to covertly re-route users’ internet traffic through malicious servers under their control.
The new advisory warns that Russian state cyber group APT28 has exploited vulnerable internet routers to enable Domain Name System (DNS) hijacking operations, giving the attackers the ability to intercept traffic and harvest login credentials, including passwords and access tokens, from personal web and email services.
Paul Chichester, NCSC Director of Operations, said: “This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice. The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks.”
Comment
Alan Stewart-Brown, VP EMEA at Opengear commented that the impact can be much bigger than “someone hacked into my Wi-Fi”. He said: “Routers and other distributed edge devices now sit across dispersed sites, remote locations and unmanaged environments. As a result, they are much harder to secure through conventional means – and therefore a highly attractive target for cyber criminals to exploit.
“Legacy security assumes organisations can define and defend a clear boundary between trusted internal systems and untrusted external networks. Essentially, trusting everything that has connected via internal switches, assuming that if a connection has made it past the perimeter defences, it can be trusted. This assumption is now catastrophically wrong.
“Once compromised, they can be used to redirect traffic, harvest credentials and create a foothold for wider intrusion, all without ever needing to break through a traditional perimeter. Another prime example of traditional security failing at the edge was discovered by CISA in 2024 when malicious actors linked to Volt Typhoon exploited a vulnerability in a network perimeter FortiGate 300D firewall that was not patched.
“They used it to compromise a domain admin account, then leveraged a separate vulnerability to gain administrative access, create a new user account, and establish persistence, so that even restarting the device would not remove them. This is a textbook example of an unpatched edge device becoming the entire breach vector.
“The deeper problem is that software-based management often fails exactly when it is needed most. When the software layer is compromised or becomes unresponsive, organisations can lose visibility and control. That is why secure, independent out-of-band access matters. It gives authorised teams a separate way to reach, isolate and recover infrastructure when the main network path or software stack cannot be trusted.”
