The UK’s National Cyber Security Centre (NCSC) and Microsoft have exposed an extensive Domain Name System (DNS) hijacking campaign against vulnerable consumer and small and home office (Soho) broadband routers conducted by the Russian cyber intelligence services.
Orchestrated by APT28 or Forest Blizzard – more widely-known as Fancy Bear – the operations saw the threat actor alter the settings of compromised devices to reroute internet traffic through malicious servers they held.
In this way, Fancy Bear was able to steal data such as login credentials, passwords and access tokens from personal web and email services belonging to their victims in a so-called adversary-in-the-middle (AiTM) attack.
The NCSC said the campaign was likely opportunistic, with Fancy Bear having cast a wide net to ensnare as many victims as possible. By targeting insecure home and small office equipment, Fancy Bear took advantage of less closely-monitored or managed assets to pivot into larger enterprise environments or targets of interest to Russian intelligence.
Indeed, Microsoft said it had identified over 200 organisations and 5,000 consumer devices impacted since the campaign began in August 2025.
“This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors,” said NCSC operations director Paul Chichester.
“We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.
“The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks,” he added.
Routers on trial
The exposure of Fancy Bear’s latest campaign comes amid a fierce debate on the other side of the Atlantic following the Federal Communications Commission’s (FCC’s) implementation of tight restrictions on routers built outside the US – which in effect means virtually every commercially available router.
The US’ decision was framed on the basis that such hardware poses an unacceptable risk to the country’s national security and that of its citizens and residents.
However it has been criticised on the basis that while it eases fears over the potential for other governments – such as China – to interfere with networking hardware produced in their factories, it does not address the fact that security vulnerabilities such as those exploited by Fancy Bear will still exist regardless of where they were manufactured.
Writing in Computer Weekly, Forescout vice president of security intelligence, Rik Ferguson, said routers present a highly attractive footholds for attackers because they sit at the network edge, generally face the public internet, and are easily overlooked once deployed.
“Many of the weaknesses we see come from familiar, measurable issues like outdated software components, slow patching cycles, weak credentials, exposed management interfaces and long lifespans that extend well beyond vendor support,” he said.
“In firmware analysis, we regularly see common components that are years behind current versions, carrying known vulnerabilities that attackers can and do exploit.”
Ferguson advised security teams to treat routers and similar network infrastructure as part of the active attack surface, which in practice means keeping accurate inventories, prioritising their lifecycle management, and enforcing firmware updates and patching.
To prevent attackers like Fancy Bear from scoring easy wins, security teams should also look to disable any internet-exposed management interfaces, enforce unique credentials, and apply network segmentation measures so that one compromised router does not necessarily enable wider access.
