UK exposes Russian cyber unit hacking home routers to hijack internet traffic

Steven

UK exposes Russian cyber unit hacking home routers to hijack internet traffic

Summary

British security officials, via the NCSC (part of GCHQ), have published a technical advisory revealing that hackers linked to Russia’s GRU — commonly called Fancy Bear, BlueDelta or APT28 — are compromising small office and home office (SOHO) routers to redirect and spy on web traffic.

The campaign targets widely sold consumer and small-business devices (the advisory names several TP-Link models) that are exposed to the internet and run weak or outdated management settings. Attackers exploit default or weak SNMP “community strings” (many devices still run SNMPv2, which lacks encryption) and known firmware vulnerabilities to gain access, map networks, and then alter DNS settings to perform adversary-in-the-middle attacks.

Once in control of a router, operators can intercept credentials and authentication tokens, redirect users to fraudulent sites, and pivot to other targets of intelligence interest. The NCSC describes the campaign as opportunistic at first — broad scanning for vulnerable kit followed by focused targeting — and urges organisations to harden management interfaces, restrict or disable SNMP, update devices, and apply vendor fixes.

Key Points

  • NCSC attributes the campaign with highest confidence to Unit 26165 (APT28/Fancy Bear) of Russia’s GRU.
  • Attackers are compromising SOHO routers (including several TP-Link models) exposed to the internet due to weak settings or outdated firmware.
  • Abuse of SNMP (default/weak community strings and unencrypted SNMPv2) is a key initial access vector.
  • Compromised routers are used to change DNS settings, enabling adversary-in-the-middle interceptions and redirects to malicious sites.
  • Campaign appears opportunistic at scale, then focuses on targets of intelligence interest; known vulnerabilities are used to persist and expand access.
  • NCSC mitigation advice: secure management interfaces, restrict/disable SNMP if unnecessary, upgrade protocol versions, and apply firmware/security updates promptly.

Why should I read this?

If you run a home, small office or manage networks for a small organisation, this is one to take seriously. These aren’t exotic zero-days — they’re cheap, widely used routers with weak defaults. Attackers are using them as easy footholds to spy on traffic and steal logins. Read the advisory and patch or lock down your kit now — we’ve done the digging so you don’t have to.

Author style

Punchy — this is a high-impact alert. If you care about network security, it pays to read the technical guidance in full and act quickly.

Source

Source: https://therecord.media/uk-exposes-russian-cyber-unit-hacking-home-routers