One of Russia’s most notorious state-backed cyber units has been quietly exploiting weaknesses in everyday internet routers across the United Kingdom for nearly two years, according to Britain’s national cyber defence agency — an operation that marks a significant widening of the threat beyond government targets into the general public.
What GCHQ Has Uncovered and Why It Matters
The National Cyber Security Centre, the cyber arm of GCHQ, has confirmed that APT28 — the hacking group more commonly known as Fancy Bear — has been systematically targeting vulnerable internet routers in use across the UK since 2024. The operation appears designed to cast the widest possible net before narrowing in on individuals whom the group’s handlers judge to hold “potential intelligence value.”
The mechanism behind the campaign is technically sophisticated but conceptually straightforward. The hackers have been exploiting a weakness in commonly used routers to hijack the domain name system, the internet infrastructure that translates web addresses into the numerical destinations computers actually use. By manipulating this lookup process, the attackers are able to redirect users who believe they are visiting a legitimate website — their email provider, say, or their bank — to a near-identical page controlled by the hackers. Once the user enters their credentials, those login details are captured and harvested.
Paul Chichester, the NCSC’s director of operations, stated that the activity demonstrated how vulnerabilities in widely used network devices could be leveraged by sophisticated hostile actors. He urged organisations and network defenders to familiarise themselves with the techniques outlined in the agency’s advisory and to follow the mitigation guidance provided. The NCSC would continue, he added, to expose Russian malicious cyber activity and publish practical advice to help protect UK networks. The agency has recommended a series of defensive measures, including the use of modern devices and the consistent application of software updates.
Why the Shift Toward Mass Targeting Represents a New Phase
For those who have tracked Fancy Bear’s activities over the past decade, the decision to target ordinary home routers across the UK marks a noteworthy evolution in the group’s operational approach. The unit is best known internationally for highly targeted political operations — most famously, the intrusion into the servers of the Democratic National Committee during the 2016 US presidential election campaign, an episode that drew attention to Russia’s willingness to deploy state-backed cyber capabilities for strategic political ends.
APT28 operates under a bewildering array of names in the threat intelligence community — Unit 26165, Forest Blizzard, Pawn Storm, the Sednit Gang and Sofacy among them — but the underlying attribution has remained consistent: the group is assessed to be a unit of Russia’s GRU military intelligence agency. Its track record includes cyberattacks on Germany’s air traffic control authority, a disinformation campaign ahead of the German federal election in 2024, the hijacking of traffic intended for a Nigerian government website, and intrusions targeting Apple devices. After accusing APT28 of an attack on its parliament, Germany went so far as to summon the Russian ambassador. The group has also been linked to the leaking of World Anti-Doping Agency data in one of the more notorious international cyber-espionage episodes of the past decade.
What distinguishes the current UK campaign is its breadth. Rather than focusing on a specific institution or political target, the operation appears to be trawling for exposed routers wherever they can be found, creating a pool of compromised devices from which the most intelligence-worthy victims can later be selected. The logic is one of volume: compromise as many devices as possible, then identify which belong to individuals of interest. For members of the public whose routers happen to be among the vulnerable, the implication is uncomfortable — they may never know their credentials have been harvested, and they may never learn why their names appeared on a list assembled thousands of miles away.
The Pattern of Russian Cyber Activity Against Britain
The router campaign does not sit in isolation. It forms part of a broader pattern of Russian cyber activity directed at the United Kingdom that has become noticeably more intense since the invasion of Ukraine in February 2022. In January, GCHQ warned that Russian state-aligned “hacktivists” had been targeting local government websites, with particular attention to local authorities and operators of critical national infrastructure. The agency recommended that councils review their defences and invest in improved cyber resilience.
More recently, the NCSC has drawn attention to a separate strand of activity involving messaging platforms. The agency reported growing malicious activity from Russia-based actors using applications such as WhatsApp, Messenger and Signal to target high-risk individuals — a category that typically includes journalists, political figures, defence personnel and those connected to Ukraine support operations.
Last year, the UK intelligence agency exposed what it described as a malicious cyber campaign targeting organisations involved in delivering foreign assistance to Ukraine. Working alongside allies including the United States, Germany and France, the NCSC concluded that Fancy Bear had been targeting both public and private organisations since 2022, including those involved in defence, IT services and logistics support. The investigation uncovered a particularly striking dimension: the hackers had accessed around 10,000 internet-connected cameras, including those at Ukrainian border crossings monitoring aid shipments, as well as cameras near military installations and rail stations used to track the movement of materials into Ukraine. Legitimate municipal services, including traffic cameras, were also exploited for the same purpose.
The Domestic Defence Question
The disclosure places a set of uncomfortable questions in front of policymakers, manufacturers and the public itself. The routers being exploited are, by and large, consumer-grade devices supplied by internet service providers or bought off the shelf. Many remain in service long after their manufacturers have ceased issuing security updates. Others are running on default credentials that users have never been prompted to change. The vulnerabilities APT28 is exploiting are, in many cases, not secret — they are known weaknesses in hardware that has been in use for years.
This raises a structural problem that no individual user can solve. The cybersecurity of the United Kingdom’s domestic internet infrastructure depends on millions of separate devices, owned by millions of separate people, each with varying degrees of technical awareness. When a state-backed adversary with the resources of the GRU chooses to exploit that landscape systematically, the defensive burden cannot reasonably be placed on end users alone. It falls instead on manufacturers to build more secure devices, on service providers to ensure equipment remains updated throughout its operational life, and on regulators to set and enforce baseline standards.
For now, the NCSC’s advice amounts to practical guidance rather than a comprehensive solution: update router firmware, replace older devices, follow the technical mitigations set out in the agency’s advisory. That advice is sensible, and those who act on it will reduce their exposure. But the underlying reality is that the line between high-value intelligence targets and ordinary members of the public has blurred in a way that was not true a decade ago. In the calculus of modern state-sponsored espionage, the home router of an anonymous British household can be a useful stepping stone. Fancy Bear has been treating it as such for nearly two years. What the authorities do next will determine whether the UK’s digital front door remains quite so easy to prise open.
