Elite Russian hackers are hijacking British internet users’ traffic

The UK’s National Cyber Security Centre warns that Russian hackers are breaking into routers and covertly rerouting users’ internet traffic through malicious servers under their control

Elite Russian hackers are breaking into routers commonly used in Britain and accessing users’ personal data, the UK’s National Cyber Security Centre (NCSC) has warned.

The Russian state-linked hacker group APT28 then covertly reroutes users’ internet traffic through malicious servers under their control, according to the NCSC.

The new advisory warned on Tuesday that APT28 has exploited vulnerable internet routers to enable Domain Name System (DNS) hijacking operations, enabling the hackers to intercept traffic and harvest login credentials, including passwords and access tokens from personal web and email services.

READ MORE: Putin ‘will unleash nuclear strike’ as Russian oligarch issues one-month warningREAD MORE: Donald Trump blasted after Iran ceasefire for ‘desperately searching for any exit’

The DNS process – which allows users to reach websites by typing familiar addresses – is interfered with to covertly send users to malicious websites designed to steal login details or other sensitive information. The security group said the activity is “likely opportunistic in nature”, with the hackers casting a wide net to reach many potential victims before narrowing in on targets of intelligence interest as the attack develops.

Paul Chichester, NCSC director of operations, said: “This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.”

The NCSC listed measures that could help protect users against DNS hijacking attacks, including applying security updates and setting up two-step verification.

APT28 has been involved in well-known cyber attacks over the past few years, including on the US Democratic National Committee, the German Bundestag and western logistics and technology organisations, including those aiding Ukraine.

According to the NCSC, the group is “almost certainly” the GRU, or Russian military intelligence, Unit 26165. It is also known in open source as Fancy Bear, Forest Blizzard, the Sednit Gang and Sofacy.

In an advisory published in May 2025, the NCSC and partners from ten countries revealed details about APT28’s “malicious cyber campaign” against both public and private organisations since 2022.

It said the unit targeted organisations involved in the co-ordination, transport and delivery of support to Ukraine, and across the defence, IT services, maritime, airports, ports and air traffic management systems sectors in multiple NATO members.