Russia’s state-backed hacking group APT28, also known as Fancy Bear, has successfully compromised email accounts belonging to UK government and Foreign Office officials. This represents a significant escalation in Moscow's cyber operations against Western democracies.

The National Cyber Security Centre (NCSC) revealed on April 7, 2026, that APT28 exploited vulnerable internet routers to conduct DNS hijacking. The attackers compromised devices that direct internet traffic, then rerouted that traffic through their own servers to silently harvest passwords and login credentials.

The group, assessed as part of Russia's GRU military intelligence agency, uses a two-phase approach. First, opportunistic scanning identifies vulnerable network devices, compromising over 18,000 networks in previous campaigns. Then, precision strikes target high-value officials like diplomats and senior policymakers.

NCSC Director Paul Chichester emphasized the vulnerability of network edge devices and urged organizations to implement firmware updates, strict access controls, and two-step verification.

This represents a tactical evolution from earlier 2018 attacks that used spear-phishing emails. Now, attackers compromise infrastructure directly, intercepting legitimate traffic without victims ever seeing a phishing attempt.

While the NCSC confirms APT28's primary objective is espionage and credential harvesting, the same router vulnerabilities affect all network infrastructure, including systems supporting digital assets and financial services.

The NCSC's recommended security measures remain fundamental yet widely unimplemented, as evidenced by the scale of compromised networks during APT28's operations.