Russia’s most notorious state-backed hacking group has compromised email accounts belonging to UK government and Foreign Office officials, marking the latest chapter in an escalating cyber conflict between Moscow and Western democracies. The breach, attributed to APT28, better known as Fancy Bear, relies on a deceptively simple technique: hijacking the internet’s phone book to redirect traffic and steal login credentials.

How the attack works

The UK’s National Cyber Security Centre first flagged APT28’s campaign on April 7, 2026, revealing that the group had been exploiting vulnerable internet routers to conduct DNS hijacking at scale. They compromised the devices that direct internet traffic, then rerouted that traffic through their own servers to silently harvest passwords, access tokens, and other login credentials for email and web services.

APT28 is assessed with high confidence to be an arm of Russia’s GRU, specifically Military Unit 26165, which operates under the 85th Main Special Service Centre.

The group’s playbook follows a two-phase approach. First, opportunistic scanning sweeps across networks to identify vulnerable edge devices. Previous campaigns hit over 18,000 networks during this initial dragnet phase. Then comes the precision strike, narrowing focus to high-value targets like government officials, diplomats, and senior policymakers.