Russia’s Fancy Bear still attacking routers to boost fake sites, NCSC warns
Summary
The UK National Cyber Security Centre (NCSC) has issued a fresh advisory about APT28 (aka Fancy Bear) exploiting vulnerabilities in small and home office (SOHO) routers to change DNS settings and redirect users to attacker-controlled websites. Microsoft corroborates the activity, reporting over 200 organisations and 5,000 consumer devices impacted. The campaign aims to harvest credentials via realistic-looking copycat pages and can expose downstream devices that inherit malicious DNS settings.
Key Points
- APT28 is exploiting SOHO router vulnerabilities to alter DNS server settings and hijack traffic.
- Compromised routers can cause laptops and smartphones on the same network to inherit malicious DNS, widening exposure.
- Attackers redirect legitimate services (for example, Outlook) to convincing phishing pages to capture credentials.
- Microsoft telemetry identified more than 200 organisations and roughly 5,000 consumer devices affected; no Microsoft-owned assets were indicated as compromised.
- TP-Link and MikroTik (and previously Cisco) routers have been observed as targets; activity has been monitored by NCSC since 2021.
- NCSC assesses much of the activity as opportunistic, though compromises in regions like Ukraine may yield military intelligence value.
- Successful router compromises can enable follow-on operations such as backdoors (e.g. Jaguar Tooth), malware deployment, or DDoS.
- NCSC and Microsoft have published guidance and telemetry to help defenders mitigate and detect these attacks.
Content Summary
APT28 (commonly attributed to the GRU) is manipulating DNS settings on vulnerable SOHO routers to redirect users to attacker-controlled sites that mimic widely used services. Victims connecting to these fake sites may enter legitimate credentials, which the attackers capture. Because many home and small-office networks allow devices to inherit router DNS settings, the impact can extend beyond the router itself to personal and corporate devices.
Microsoft’s report (Forest Blizzard) and the NCSC advisory align: the activity is widespread rather than narrowly targeted, affecting hundreds of organisations and thousands of devices. Targets have included TP-Link and MikroTik devices, and previous incidents involved Cisco equipment and deployment of Jaguar Tooth malware. The NCSC emphasises mitigation steps and practical guidance; Microsoft warns the same infrastructure could be reused for DDoS or malware campaigns.
Context and relevance
This is part of a persistent trend where state-aligned actors exploit poorly maintained or exposed network edge devices to gain footholds and intercept credentials. SOHO and IoT devices remain a low-cost, high-impact attack vector for reconnaissance and lateral access into larger networks, particularly where upstream compromise affects enterprise traffic.
For network administrators, security teams and organisations with remote workers, the advisory is directly relevant: it highlights the need for router patching, configuration hardening, monitoring of DNS settings, and user awareness to reduce credential-phishing risk and downstream compromise.
Why should I read this?
Because if you or your staff use home or small office routers (and who doesn’t?), this is the kind of quiet compromise that can turn into a very noisy breach. It explains how attackers quietly hijack DNS to farm credentials and why a dodgy router config can contaminate every device on the network. Read it, and fix the basics—firmware, DNS checks and MFA—before someone else does the harvesting for you.
Author note
Punchy takeaway: this isn’t a niche exploit anymore — it’s a scalable, opportunistic campaign hitting everyday devices. Follow the NCSC and Microsoft mitigations now; patching and DNS vigilance will spare you messy incident response later.