Russia's Fancy Bear targets TP‑Link and Cisco routers in large‑scale DNS hijacking campaign
The UK's National Cyber Security Centre has issued a new warning that Russia‑linked APT28, also known as Fancy Bear, is actively compromising small office and home routers by altering DNS settings to redirect users to credential‑stealing fake websites. Microsoft reports more than 200 organizations and 5,000 devices have already been affected, with attackers targeting TP‑Link, Cisco, and MikroTik routers, including many located in Ukraine for intelligence gathering. By hijacking DNS, the group can intercept login attempts to services like Outlook and potentially gain access to upstream enterprise networks. Authorities urge organizations to review mitigation guidance as Fancy Bear continues to leverage router vulnerabilities for espionage, malware deployment, and broader cyber operations.