Russia's Fancy Bear still hijacking routers to push fake sites, NCSC warns

April 7, 2026
aisecuritylawmobile
Close-up of a TP-Link Ethernet switch with yellow, red, and white cables connected.
Photo by Pascal πŸ“· on Pexels

What happened

It has been reported that the UK's National Cyber Security Centre (NCSC) has issued a fresh warning about ongoing router compromises tied to APT28 β€” aka Fancy Bear β€” a group widely, and allegedly, linked to Russia's GRU. The attackers are changing DNS server settings on small office and home office (SOHO) routers so downstream devices inherit malicious DNS and get quietly redirected to attacker-controlled clone sites. Users who think they're signing into Outlook or other everyday services end up handing credentials to a perfectly plausible fake page. Ouch.

Scale and targets

Microsoft chimed in with hard numbers: it has been reported that Forest Blizzard (Microsoft’s name for APT28) impacted telemetry for more than 200 organizations and about 5,000 consumer devices; Microsoft said its own assets were not compromised. TP-Link gear was explicitly flagged, though Cisco routers were previously implicated and a separate cluster hit MikroTik devices β€” many allegedly located in Ukraine, which could offer military intelligence value. The NCSC says the activity looks opportunistic rather than a boutique hunt for VIPs, but opportunistic can still be devastating.

Why this matters

This is low glamour, high payoff for an adversary. Change a DNS entry, and suddenly your whole network is talking to the wrong people. The NCSC’s Paul Chichester put it bluntly: exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. Microsoft's analysts warn the same foothold could be repurposed for DDoS, malware drops, or long-term backdoors β€” remember Jaguar Tooth from 2023? Not exactly spy-fi, but just as effective.

What to do about it

So what's the fix? Patch routers, change default passwords, lock down admin interfaces, and audit DNS settings β€” yes, the old chestnut about updating firmware applies here more than ever. The NCSC and Microsoft have published mitigation guidance; defenders should follow it. Want to sleep better at night? Treat your router like the front door to your digital home.

Sources: The Register