The warning landed alongside action in the United States, where the Justice Department and FBI said on April 7 they had carried out a court-authorised disruption of the US portion of the network used in the operation. American officials said the compromised routers were used to support espionage against targets of interest to the Russian state, including people and organisations in the military, government and critical infrastructure sectors. Reuters reported that the takedown effort, called Operation Masquerade, involved partners in 15 countries.
British officials said the attacks relied on weaknesses in widely used edge devices, particularly small office and home office routers, whose settings were modified to overwrite DHCP and DNS configurations. Once that happened, downstream devices such as laptops and phones on the same network could inherit malicious DNS settings without the user noticing. That gave the attackers a position from which to intercept traffic, identify victims of intelligence value and attempt to capture credentials tied to email and web-based services.
Paul Chichester, the NCSC’s director of operations, said the case showed how exploited vulnerabilities in widely used network devices could be turned into a powerful tool by sophisticated hostile actors. The agency urged organisations to secure management interfaces, keep devices and software updated, and enable two-step verification to reduce the impact of credential theft. The Justice Department said the GRU actors had been exploiting known vulnerabilities since at least 2024 to compromise thousands of TP-Link routers worldwide before using some of them for DNS hijacking.
The operational pattern described by British and American authorities suggests a broad funnel. Officials said the initial compromise of routers was indiscriminate, but the attackers then used automated filtering to determine which DNS requests were worth intercepting. For selected victims, the malicious resolvers returned fraudulent records for domains designed to mimic legitimate services, including Microsoft Outlook Web Access, allowing the attackers to stage convincing credential theft operations. American officials said that process enabled the harvesting of passwords, authentication tokens, emails and other sensitive data.
The scale of the campaign appears substantial. Reuters reported that Microsoft identified more than 200 organisations and 5,000 consumer devices affected by the hacking operation. Lumen Technologies’ Black Lotus Labs, which helped identify part of the infrastructure, said the activity primarily targeted government agencies, ministries of foreign affairs, law enforcement bodies and third-party email providers. Its analysis pointed to victims in the United States, Europe, Afghanistan, North Africa, Central America and South-East Asia, showing that the operation stretched well beyond a narrow regional theatre.
For London, the latest disclosure fits an established pattern. The NCSC said APT28 is almost certainly the GRU’s 85th Main Special Service Centre and described the group as a highly skilled threat actor. The British government has previously linked APT28 to cyber operations against the German parliament in 2015 and to the attempted 2018 operation against the Organisation for the Prohibition of Chemical Weapons. That history matters because it places the router campaign within a longer lineage of espionage-focused activity aimed at governments, institutions and politically sensitive targets.
The warning also underlines a stubborn weakness in global cyber defence: ageing or poorly managed network hardware at the edge of home and office systems. Routers, firewalls and similar devices often operate out of sight, receive infrequent updates and remain exposed to the internet with weak security settings. Officials say that makes them attractive to state-backed groups looking for low-cost, scalable access that can be repurposed across multiple campaigns. The NCSC noted that the DNS hijacking activity appeared opportunistic at first, with the attackers casting a wide net before narrowing their focus to targets judged to have intelligence value.
German authorities also issued a warning on April 7, reinforcing the view that European services see the operation as part of a live and continuing threat picture rather than a closed case. American officials said the FBI identified compromised routers in the United States, gathered evidence of Russian targeting, severed access and reset devices to restore normal operation. Yet the broader lesson from the advisories is that disruption by law enforcement, while significant, does not remove the structural risk created by vulnerable edge devices that remain deployed across homes, offices and public institutions.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
