- Category
- Latest news
Russian Cyber Hackers Use UK Routers to Redirect Internet Traffic and Steal Sensitive Data
- Authors
![Photo of Dariia Mykhailenko]( "Photo of Dariia Mykhailenko")
Russian military cyber hackers have been found exploiting vulnerabilities in internet routers commonly used in the UK, allowing them to covertly redirect users’ internet traffic through malicious servers under their control.
According Financial Times on April 8, the UK's National Cyber Security Centre (NCSC) issued this warning revealing that the cyberattack was orchestrated by APT28, a notorious group believed to be linked to Russia's military intelligence agency, the GRU.
We bring you stories from the ground. Your support keeps our team in the field.
The hackers have been taking advantage of weaknesses in routers to carry out domain name system (DNS) hijacking, allowing them to intercept internet traffic. This gives the attackers the opportunity to steal sensitive data, including passwords and access tokens, from users' online accounts and email services.
The NCSC identified two major companies, TP-Link and MikroTik, as being particularly susceptible to these types of attacks.
Paul Chichester, the NCSC's director of operations, emphasized the significance of the findings, stating that the incident “demonstrates how exploited vulnerabilities in widely used network devices” can be leveraged by sophisticated cybercriminals.
He urged both companies and individuals to take immediate action to protect themselves, stressing the importance of security updates and regular antivirus scans to mitigate risks.
The cyberattack operates by manipulating the DNS process, which is what enables users to access websites by typing in familiar addresses. In this scenario, hackers secretly redirect users to malicious sites designed to steal login credentials and other personal data.
The NCSC described the operation as “likely opportunistic,” noting that the hackers initially targeted a broad spectrum of potential victims. As the attack progressed, they gradually shifted their focus towards specific intelligence-related targets.
In May 2025, the United Kingdom's National Cyber Security Centre has publicly accused Russia’s military intelligence agency, the GRU, of spearheading a widespread cyber campaign designed to disrupt Western support for Ukraine, particularly in the realm of logistics and technology. The NCSC report, issued on May 21, identifies GRU Unit 26165—also known as APT28 or “Fancy Bear.”
The targeted entities, located in NATO countries, are involved in providing assistance to Ukraine, with industries such as defense, IT, maritime, airport, port, and air traffic management among those most affected. This malicious cyber campaign is said to pose a significant risk to organizations delivering crucial aid to Ukraine.
“This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine,” said Paul Chichester, Director of Operations at NCSC.
According to reports, since 2022, the GRU has employed a wide range of cyber tactics, including credential guessing, spear-phishing, and exploiting vulnerabilities in Microsoft Exchange mailbox permissions, in efforts to breach secure networks. The campaign also reportedly targeted internet-connected cameras at Ukrainian border crossings and near military installations, likely aiming to monitor and track the transportation of arms.
An international investigation has previously revealed that Romania also was a target in a cyber-espionage campaign launched by GRU, designed to monitor the flow of Western aid into Ukraine.
The operation, attributed to the APT28, focused on exploiting weaknesses in surveillance camera infrastructure. Investigators revealed that nearly 1,000 of the approximately 10,000 compromised IP addresses were tied to Romanian systems, making Romania the second most affected country after Ukraine.
-4a56a6b482ec132402c16ef6fcabf9a2.png)
