DNS
Russian Hackers Exploit Routers to Steal Credentials
By Steven | TrustYourWebsite2 min read
Source: NCSC-UK news
The UK's National Cyber Security Centre (NCSC) has published an advisory warning that a Russian state-linked hacking group is exploiting vulnerable routers to intercept web traffic and steal login credentials.
What happened?
According to the NCSC, the group known as APT28 (identified as Russian GRU unit 26165) has been targeting routers to overwrite their DHCP and DNS settings. Once those settings are changed, the router sends internet traffic through servers controlled by the attackers rather than your legitimate internet provider.
This technique is called an adversary-in-the-middle attack. It allows the attackers to silently sit between you and the websites you visit, harvesting passwords, OAuth tokens (the kind used when you log in with Google or another account) and other credentials for web and email services.
According to the NCSC advisory, the activity appears to be opportunistic. The attackers cast a wide net, then filter down to targets they consider to be of intelligence value.
What is the NCSC saying?
The NCSC has published indicators of compromise alongside the advisory, giving technical teams something concrete to check against. The advisory also includes mitigations, practical steps organisations can take to reduce their exposure.
The risks the NCSC highlights are credential theft, data manipulation and broader compromise of systems. In other words, if an attacker can quietly redirect your traffic, they can collect login details without you ever knowing.
The advisory references several techniques from the MITRE ATT&CK framework, including T1557 (adversary-in-the-middle), T1583.002, T1583.003, T1584.008, T1588.006 and T1586.
What does this mean for your website?
If your business uses a router that has not been updated or secured, it could be vulnerable to this kind of attack, meaning customer login details or your own admin credentials could be intercepted without any visible sign of a problem. Checking that your router firmware is up to date and that default settings have been changed is a straightforward step worth taking now. You can find practical guidance on securing your business in our security checklist for small businesses.
Check your website now
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkRelated articles
DNS
DNSSEC SSL Renewal Failures Explained
Sucuri's WAF began fully supporting CA/Browser Forum Ballot SC-085v2 in March 2026, causing some SSL certificate renewals to fail when DNSSEC is misconfigured.
2 min read
DNS
Dutch Operator Invoice Lost: SPF DMARC Failure Explained
A Dutch network operator (netbeheerder) failed to deliver an invoice by email due to misconfigured SPF/DMARC settings, causing emails to be silently rejected by the recipient's mail server.
2 min read