The NCSC has named a Russian state-sponsored group exploiting small office routers to harvest credentials at scale. Jonathan Krause, founder of Forensic Control and former New Scotland Yard investigator, sets out what the advisory actually requires of UK SMEs, where Cyber Essentials does and does not reach, and what evidence you need to keep.
By Jonathan Krause | Founder, Forensic Control | 28 April 2026
If your business uses cloud services like Microsoft 365, has staff working from home, or supplies any government, defence, NHS, or large corporate customer, this advisory affects you. The technical fix on the router itself is not the hardest part. The harder questions are which routers Cyber Essentials actually covers in 2026 (the answer surprises most applicants), and whether you can prove what you did, when, if asked later by an insurer, a customer, or the regulator. This article walks through both.
On 7 April 2026, the National Cyber Security Centre (NCSC) published an advisory naming the Russian military intelligence group APT28, also known as Fancy Bear, as the actor behind a long-running campaign to compromise small office and home office (SOHO) routers. The campaign is attributed by the UK to Unit 26165 of Russia’s GRU 85th Main Special Service Centre.
The technique itself is straightforward. APT28 exploits known router vulnerabilities to overwrite the device’s Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Once those settings point to attacker-controlled servers, every device on the network inherits them. Lookups for services like Microsoft Outlook are quietly redirected, and an adversary-in-the-middle (AitM) page is served instead of the real one. Anyone who clicks past the certificate warning hands over their credentials and, importantly, their session tokens, which lets the attacker bypass multi-factor authentication entirely.
Paul Chichester, NCSC Director of Operations, said exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors. The NCSC named the TP-Link WR841N and CVE-2023-50224 as one confirmed combination, with other TP-Link and MikroTik models also in scope.
The advisory is a UK government statement, not a wire-service story, and it is unusually specific about who is at risk. The activity is described as opportunistic: APT28 casts a wide net across SOHO routers, then filters for victims with intelligence value.
For a small or medium-sized enterprise, intelligence value is broader than it sounds. UK SMEs in the supplier chains of defence, logistics, professional services, energy, and technology sectors are all in scope, as is any organisation working with central government, the Ministry of Defence, or a National Health Service (NHS) trust. If a router on your network is compromised, you may not be the final target. You may be the route in.
Across the Cyber Essentials assessments Forensic Control has carried out in the last twelve months, almost every single applicant has at least one home-worker with associated routers. The most common finding is firmware years out of date, on a device the internet service provider (ISP) supplied at the start of a contract and has not touched since. Exposed remote management interfaces are less common than they were five years ago, but still present, usually because someone enabled remote admin to fix a problem and never turned it off. Default administrator credentials remain very common in consumer kits issued to remote staff who set it up themselves.
This is the part of the advisory where the line between what the scheme covers and what it does not has to be drawn precisely. The position under Cyber Essentials Requirements for IT Infrastructure v3.3, in force from 27 April 2026, and confirmed by IASME’s own guidance on firewalls and routers, is unambiguous in a way that surprises a lot of applicants.
If a home or remote worker uses a router supplied by their ISP, or one they have bought themselves, that router is out of scope for Cyber Essentials. The firewall control transfers, in those cases, to the software firewall on the home worker’s device, the laptop, desktop, tablet, or phone. The applicant organisation is not required to manage, patch, or harden the ISP router. It is required to ensure the host-based firewall on the in-scope device is configured securely. That is the rule, and it is the rule a v3.3 assessor will mark against.
If, on the other hand, the applicant organisation has supplied the router to the home worker, that router is in scope. Every Cyber Essentials firewall control applies to it. So does the v3.3 patching rule: critical or high-risk vulnerabilities in router firmware (CVSS v3 base score of 7 or above, or vendor-classified as critical or high risk) must be patched within 14 days of release, and as of v3.3 a no answer to that question is an automatic assessment failure.
The practical implication is that being able to say we are Cyber Essentials certified is not, on its own, an answer to the threat the advisory describes. The scheme’s scope rule means that the very devices APT28 is exploiting most successfully, ISP-supplied SOHO routers in remote-worker homes, sit just outside the boundary an organisation is being assessed against. That is not an oversight. It reflects a sensible decision that an applicant cannot reasonably be held responsible for hardware they do not own, manage, or have admin credentials for. But it does mean that compliance with v3.3 is necessary, and not sufficient, for the threat profile the advisory describes. The Mythos Preview discussion in our previous article on AI-accelerated vulnerability discovery explains why the wider trend is accelerating, not slowing.
Calling the response evidence is deliberate. If your organisation is breached via a compromised router, the question your insurer, your customers, and potentially the Information Commissioner’s Office (ICO) will ask is not whether you took action. It is whether you can prove what action you took, when, and to what standard. The answer depends on which of the two scope categories the router sat in, and the FAQ at the end of this article sets out the artefacts in detail for each.
When we are called in after a suspected router compromise, the first question is almost always whether the device is still in the state it was in at the time of the incident. In more cases than not, it is not. Either the router has been factory-reset by the user in an attempt to clean it, or it has been replaced entirely and the original sent back to the ISP. Either way, the volatile evidence that would tell us what the device was doing, where it was sending traffic, and which credentials passed through it has gone. Where logging was enabled at all, it was usually held only on the device itself, with retention measured in hours or days rather than weeks. Recovery is sometimes possible from upstream sources, ISP netflow records, cloud authentication logs showing impossible-travel signatures, mail-server headers, but the work takes substantially longer and costs materially more than it would if a logging baseline had been in place from the start. The single biggest predictor of how quickly and cheaply we can answer the questions an insurer or the ICO will ask is whether the organisation captured and preserved router configuration and logs before the incident, not after.
The Association of Chief Police Officers (ACPO) principles of digital evidence still govern how that material has to be captured and preserved if it is going to support an investigation or a regulatory submission. That work is not something most SMEs are equipped to do under their own steam, which is why having a digital forensics retainer in place before an incident, rather than scrambling for one during it, materially changes the outcome.
APT28, also known as Fancy Bear and Forest Blizzard, is a Russian state-sponsored cyber group attributed to Unit 26165 of the GRU. The NCSC published a fresh advisory on 7 April 2026 because APT28’s exploitation of small office routers has continued through 2024, 2025, and into 2026, including the use of compromised TP-Link and MikroTik devices to hijack DNS and harvest credentials at scale. Joint advisories from the FBI, the National Security Agency (NSA), and partners across Canada, Germany, Poland, and Ukraine were published on the same day.
The NCSC names the TP-Link WR841N specifically, exploited via CVE-2023-50224, alongside other TP-Link and MikroTik models. The technique itself is not model-specific. Any router with an exposed management interface, default credentials, or unpatched firmware is a candidate, particularly if it is at end of vendor support.
Only if the applicant organisation has supplied the router. Under Cyber Essentials Requirements for IT Infrastructure v3.3, if a router is provided by the home worker’s internet service provider, or bought by the home worker themselves, it is out of scope and the Cyber Essentials firewall control transfers to the software firewall on the in-scope device. If the company supplies the router, it is in scope and must meet every Cyber Essentials firewall and patching requirement, including the 14-day window for critical and high-risk firmware updates. IASME’s own guidance on firewalls and routers confirms this position.
Identify every router on every network where business credentials are entered, whether company-supplied or ISP-supplied. For company-supplied routers, confirm management interfaces are not exposed to the public internet, default credentials have been replaced, and firmware is current. For ISP-supplied routers in remote workers’ homes, confirm the host-based software firewall on the in-scope laptop or desktop is enabled, correctly configured, and not disablable by a standard user. After those, review cloud authentication logs for the period since the advisory was published.
Cyber Essentials covers the relevant controls within its defined scope. The scheme requires default passwords to be changed, management interfaces to be protected, and critical patches to be applied within 14 days, on every router an applicant supplies. What the scheme expressly does not cover is the ISP-supplied router in a remote worker’s home, which is precisely the device APT28 most often exploits. Compliance with v3.3 is therefore necessary but not sufficient for the threat profile the advisory describes; the gap is closed by host-based firewall hygiene on the in-scope endpoint and by cloud-side authentication monitoring.
For company-supplied routers: a current asset register, a configuration baseline showing management interfaces disabled and credentials replaced, firmware version and patch date records, and exported router logs going back at least 90 days. For ISP-supplied routers, where the router itself is out of CE scope: evidence of host-based firewall configuration on the in-scope endpoint, plus the cloud authentication logs from Microsoft 365 or Google Workspace, which are typically the most useful artefact when reconstructing a router-mediated session-token theft. Captured under ACPO principles of digital evidence, this material materially changes what a digital forensics investigation can recover after an incident.
We assess router and edge-device posture as part of our Cyber Essentials and Cyber Essentials Plus work, and we provide digital forensics retainer services for SMEs that need investigation capability on standby. Our team has handled compromised-device investigations going back to my time at the Hi-Tech Crime Unit at New Scotland Yard. Contact us or call 020 7664 4522 to discuss your situation.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
