UK and U.S. officials are warning of rising cyber risks driven by Russia- and Iran-linked hacker groups, according to new reports by the Financial Times and Bloomberg. 

Britain’s National Cyber Security Centre warned that an elite Russian state cyber group known as APT28 had exploited vulnerable internet routers commonly used in the UK to conduct domain name system, or DNS, hijacking operations, the FT said. The activity allowed the attackers to covertly reroute users’ internet traffic through malicious servers under their control, potentially enabling them to intercept traffic and steal passwords and access tokens from personal web and email services.

The NCSC described the Russian activity as likely “opportunistic in nature,” with attackers casting a wide net before narrowing in on targets of intelligence interest as an operation develops, according to the report. The British agency identified TP-Link and MikroTik devices as vulnerable to the method. 

Paul Chichester, the NCSC’s director of operations, said the findings showed how flaws in widely used network devices could be exploited by sophisticated hackers and urged companies and individuals to protect themselves by applying security updates and carrying out regular antivirus scans, the FT said.

In a DNS hijacking attack, hackers interfere with the system that directs users to websites when they type familiar web addresses, allowing victims to be silently redirected to malicious sites designed to capture login credentials and other sensitive data.

Britain’s warning was accompanied by a statement from Germany’s domestic intelligence agency, which said Germany had also been targeted by APT28. The Federal Office for the Protection of the Constitution said it had contacted operators of targeted TP-Link routers last month and provided guidance on how to secure them against future attacks, according to the FT.

APT28 has been linked to several high-profile cyber operations in recent years. The NCSC said the group was “almost certainly” Russia’s GRU military intelligence Unit 26165. It has been implicated in attacks on the U.S. Democratic National Committee, the German Bundestag, and Western logistics supporting Ukraine, the FT reported. The group is also known as Forest Blizzard and Fancy Bear.

In a separate warning issued Tuesday, U.S. agencies said cyberattackers linked to Iran were targeting critical infrastructure, including drinking water systems and the energy sector, Bloomberg reported. The Environmental Protection Agency, the FBI, and other agencies said in a joint statement that the attacks were aimed at technology used in water and sewer systems as well as government facilities and services, Bloomberg said. 

The warning did not specify where the attacks were taking place and was issued before the ostensible ceasefire between the United States and Iran. 

The attacks resembled previous operations by CyberAv3ngers, a group the U.S. government says has ties to Iran’s Islamic Revolutionary Guard Corps, Bloomberg reported. CyberAv3ngers targeted control devices used in water and sewer systems in 2023.

Read more at the Financial Times

Read more at Bloomberg