The UK’s National Cyber Security Centre (NCSC) and Microsoft recently uncovered a widespread Domain Name System (DNS) hijacking campaign carried out by Russian cyber intelligence services against vulnerable consumer and small office/home office (Soho) broadband routers. This operation, attributed to APT28 or Fancy Bear, involved manipulating the settings of compromised devices to redirect internet traffic through malicious servers controlled by the threat actor. By doing so, Fancy Bear was able to pilfer sensitive data like login credentials, passwords, and access tokens from the victims’ personal web and email services using an adversary-in-the-middle (AiTM) attack.
The NCSC indicated that this campaign was likely opportunistic, with Fancy Bear targeting insecure home and small office equipment to infiltrate larger enterprise environments or other entities of interest to Russian intelligence. According to Microsoft, over 200 organizations and 5,000 consumer devices have been impacted since the campaign commenced in August 2025.
NCSC operations director Paul Chichester emphasized the significance of addressing exploited vulnerabilities in commonly used network devices, urging organizations and network defenders to familiarize themselves with the advisory and implement the recommended mitigation strategies. He affirmed the NCSC’s commitment to exposing and combating malicious cyber activities orchestrated by Russian entities to safeguard UK networks.
The revelation of Fancy Bear’s latest campaign coincides with a contentious discourse in the United States following the Federal Communications Commission’s (FCC) enforcement of stringent regulations on routers manufactured outside the country, a classification that encompasses nearly all commercially available routers. While the FCC’s decision aims to mitigate national security risks associated with foreign-made hardware, critics argue that it overlooks the persistent security flaws exploited by threat actors like Fancy Bear, irrespective of the hardware’s origin.
Rik Ferguson, Forescout’s vice president of security intelligence, highlighted routers as prime targets for cyber attackers due to their location at the network perimeter, exposure to the public internet, and frequent neglect post-deployment. He underscored the prevalence of vulnerabilities stemming from outdated software components, lax patching practices, weak credentials, exposed management interfaces, and extended product lifecycles lacking vendor support.
Ferguson advised security teams to proactively manage routers and similar network infrastructure as part of the active attack surface, emphasizing the importance of maintaining accurate inventories, prioritizing lifecycle management, and enforcing firmware updates and patches. To thwart adversaries like Fancy Bear, security professionals should disable public-facing management interfaces, enforce strong authentication measures, and implement network segmentation to contain potential breaches.
Overall, the collaboration between the NCSC, Microsoft, and other cybersecurity stakeholders underscores the critical need for vigilance and proactive measures to defend against evolving cyber threats and safeguard sensitive information in an increasingly interconnected digital landscape.
