Russian hackers infiltrate UK government emails in cyberattack targeting Foreign Office officials

1 hour ago 3



Russia’s most notorious state-backed hacking group has compromised email accounts belonging to UK government and Foreign Office officials, marking the latest chapter in an escalating cyber conflict between Moscow and Western democracies. The breach, attributed to APT28, better known as Fancy Bear, relies on a deceptively simple technique: hijacking the internet’s phone book to redirect traffic and steal login credentials.

How the attack works

The UK’s National Cyber Security Centre first flagged APT28’s campaign on April 7, 2026, revealing that the group had been exploiting vulnerable internet routers to conduct DNS hijacking at scale. They compromised the devices that direct internet traffic, then rerouted that traffic through their own servers to silently harvest passwords, access tokens, and other login credentials for email and web services.

APT28 is assessed with high confidence to be an arm of Russia’s GRU, specifically Military Unit 26165, which operates under the 85th Main Special Service Centre.

The group’s playbook follows a two-phase approach. First, opportunistic scanning sweeps across networks to identify vulnerable edge devices. Previous campaigns hit over 18,000 networks during this initial dragnet phase. Then comes the precision strike, narrowing focus to high-value targets like government officials, diplomats, and senior policymakers.

NCSC Director Paul Chichester highlighted the specific vulnerability of network edge devices, pushing organizations to implement mitigations including firmware updates, strict access controls, and mandatory two-step verification.

A pattern years in the making

Russian cyber operations targeting UK government entities have been documented since at least 2018, when APT28 launched spear-phishing campaigns aimed directly at the Foreign and Commonwealth Office. Those earlier attacks focused on tricking individual employees into surrendering credentials through fake login pages.

The shift to DNS hijacking represents a tactical evolution. Rather than relying on a human clicking a malicious link, the attackers now compromise infrastructure itself. The victim never sees a phishing email. Their legitimate traffic simply gets intercepted in transit.

The NCSC has noted that APT28’s primary objective remains traditional espionage, specifically credential harvesting and email interception, rather than direct financial theft or cryptocurrency exploitation.

What this means for crypto and digital asset security

The NCSC’s analysis explicitly frames APT28’s operations as intelligence-gathering rather than financially motivated cybercrime. However, the same router vulnerabilities that gave Russian intelligence access to UK government emails exist across every network that crypto infrastructure touches.

The NCSC’s recommended mitigations, device updates, strict access controls, and two-step verification, sound basic. They are basic. And yet over 18,000 networks were compromised during APT28’s scanning phase, which tells you everything about the gap between knowing what to do and actually doing it.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Read Entire Article