UK NCSC Warns of Russian Cyber Espionage via Router Exploits

Russian Cyber Espionage Targets Internet Routers

The UK’s National Cyber Security Centre (NCSC) has issued a warning about Russian cyber operations exploiting internet routers for espionage. The attacks target individuals and critical infrastructure, with the NCSC stating they are believed to be opportunistic. This approach mirrors tactics used by the APT28 group, also known as Fancy Bear, which has been linked to Russian intelligence services. APT28 was previously involved in a 2015 cyberattack on Germany’s parliament, where confidential emails and MP schedules were stolen. The current campaign highlights the vulnerability of routers, often overlooked as ‘edge devices’, in cybersecurity. Professor Alan Woodward of the University of Surrey noted that compromised routers can redirect users to fake sites, access home networks, and exploit connected devices like PCs and phones. The NCSC’s findings indicate a trend where state-sponsored actors exploit outdated or poorly secured hardware to infiltrate networks.

Exploiting Vulnerable Router Infrastructure

“compromised routers can redirect users to fake sites, access home networks, and exploit connected devices like PCs and phones.”

The threat’s scale is heightened by the widespread use of consumer-grade routers globally. A 2016 cyberattack on Bangladesh’s central bank, which stole $80 million, involved cheap, secondhand routers accessible via the internet. This attack, attributed to a North Korean group, demonstrated how weakly secured devices can be leveraged for large-scale financial theft. While the Bangladesh incident involved a different actor, the underlying vulnerability remains relevant. The NCSC’s current warnings suggest Russian hackers are adopting similar tactics, targeting routers from brands like Mikrotik and TP-Link. These devices, commonly used in small offices and homes, are prime candidates for exploitation due to their limited security features and frequent lack of firmware updates. The NCSC’s analysis indicates attackers are not limited to state-sponsored groups, as opportunistic cybercriminals may also exploit these weaknesses for financial gain.

Technical Methods of Router Exploitation

Russian hackers use DNS hijacking to redirect traffic and steal user credentials without deploying traditional malware. A 2026 incident revealed the Russia-backed threat actor Forest Blizzard (APT28) reconfigured router DNS settings to redirect traffic to virtual private servers under their control. This allowed them to intercept OAuth authentication tokens transmitted after multi-factor authentication, bypassing security measures. Microsoft identified over 200 organizations and 5,000 consumer devices affected by this campaign, with the majority of victims using unsupported, end-of-life routers. The attackers targeted Mikrotik and TP-Link models, popular in the Small Office/Home Office (SOHO) market. These routers, often sold without robust security protocols, are particularly vulnerable to configuration changes enabling persistent access to user data.

Persistent Risks of Outdated Router Security

The exploitation of routers is further complicated by the lack of security updates for many devices. Black Lotus Labs researchers noted that attackers did not rely on malware but instead leveraged known vulnerabilities to propagate malicious DNS settings across local networks. This method allows hackers to maintain long-term access without triggering traditional malware detection tools. The U.K.’s NCSC detailed how Russian cyber actors compromised routers to execute DNS hijacking, redirecting users to malicious websites to steal login details. The absence of regular firmware updates in many routers means that once a vulnerability is exploited, the device remains a persistent entry point for further attacks. This technical sophistication highlights the need for both manufacturers and users to prioritize router security, as the consequences of a compromised network can extend far beyond individual users.

Global Impact of the Russian Cyber Campaign

The scope of the Russian cyber campaign extends beyond national borders, affecting users in North Africa, Central America, and Southeast Asia. Black Lotus Labs reported at least 18,000 victims across 120 countries, including government agencies, law enforcement, and email providers. The FBI and U.S. Justice Department have taken steps to disrupt the campaign, including dismantling compromised routers on U.S. soil through court-authorized actions. The FBI is expected to announce the takedown of domains used in the attack, with Lumen confirming collaboration in disabling the botnet. These efforts reflect a growing international focus on countering state-sponsored cyber threats, as the U.S. Federal Communications Commission (FCC) announced a policy restricting certification of non-U.S. consumer-grade routers. This move, citing national security risks, aims to limit the availability of foreign-made routers, though experts note it does not address vulnerabilities in existing, outdated devices.

“Black Lotus Labs researchers noted that attackers did not rely on malware but instead leveraged known vulnerabilities to propagate malicious DNS settings across local networks.”

Regulatory Responses to Cybersecurity Risks

The collaboration between U.S. and U.K. agencies underscores the transnational nature of cyber threats. The NCSC’s warning aligns with Microsoft’s findings on the Forest Blizzard campaign, highlighting the interconnectedness of global cybersecurity challenges. While the FCC’s ban on foreign routers is a significant policy shift, its effectiveness is limited by the fact that many existing devices remain in use. This gap in protection emphasizes the need for a multi-faceted approach to cybersecurity, combining regulatory measures with proactive user education. The international response to the Russian campaign also raises questions about the broader implications of state-sponsored cyber operations, as such attacks can disrupt critical infrastructure and compromise sensitive data on a global scale.

Mitigation Strategies for Router Vulnerabilities

To combat the threat posed by Russian hackers targeting routers, both individuals and organizations must adopt proactive mitigation strategies. Professor Alan Woodward of the University of Surrey has urged users to update routers regularly and monitor networks for unusual activity. This includes checking for firmware updates, changing default passwords, and enabling security features like WPA3 encryption. Small businesses and individuals are particularly vulnerable due to the lack of resources dedicated to cybersecurity, making them prime targets for exploitation. The NCSC has also recommended that users disable unused services on routers to reduce attack surfaces and implement network segmentation to limit the spread of potential breaches. The role of manufacturers in improving router security cannot be overstated. Companies like Mikrotik and TP-Link must prioritize the development of more secure firmware and provide long-term support for their devices. This includes addressing known vulnerabilities and ensuring that security patches are readily available. Additionally, industry-wide standards for router security could help reduce the prevalence of insecure devices. The U.S. and U.K. governments have a critical role to play in incentivizing manufacturers to adopt higher security benchmarks, potentially through subsidies or regulatory mandates. Ultimately, the fight against router-based cyber threats requires a collaborative effort between governments, manufacturers, and users to ensure that the digital infrastructure remains resilient against evolving cyber risks.