.svg){kind=spacer}
April 26, 2026
The article reports that the U.K.’s National Cyber Security Centre has warned that APT28, the Russian state-linked group also known as Forest Blizzard or Fancy Bear, has been exploiting vulnerable routers to hijack DNS settings and redirect traffic through attacker-controlled infrastructure. Industrial Cyber explains that this enables adversary-in-the-middle operations in which victims’ web and email sessions can be intercepted, exposing passwords, authentication tokens, and other sensitive data. The campaign reportedly begins with broad scanning for exposed devices and then narrows toward targets of intelligence value, with the attackers modifying DNS and DHCP settings to create persistent visibility into traffic flows and a scalable platform for espionage and credential theft.
The article adds that the activity has been observed from 2024 into 2026 and involves malicious virtual private servers acting as rogue DNS servers, with compromised SOHO routers passing manipulated DNS responses down to laptops, phones, and other connected devices. One example cited is the TP-Link WR841N, which was likely exploited via CVE-2023-50224 to obtain router credentials and then alter DHCP DNS settings, while other TP-Link and MikroTik devices were also implicated. Industrial Cyber says the NCSC is urging organizations to keep management interfaces off the public internet, patch and modernize systems, strengthen monitoring, apply allowlisting and host-based detection where possible, and use multi-factor authentication to reduce the impact of stolen credentials. The piece also places the warning in a broader context by noting earlier U.S.-U.K. advisories on APT28’s exploitation of router infrastructure.
