"Russian state cyber group APT28, a unit of Russian military intelligence, has exploited vulnerable internet routers to enable domain name system (DNS) hijacking operations" [APT28]
The quote directly names the state actor (Russian military intelligence unit APT28) and the specific mechanism (DNS hijacking via router compromise), establishing that this is a deliberate, organized campaign by a military intelligence service rather than opportunistic cybercrime.
Reasoning from this article
The article frames APT28's router exploitation as part of a pattern: the same unit has targeted US Democratic infrastructure, German government networks, and Ukrainian logistics. The NCSC's characterization of the activity as 'likely opportunistic in nature' with attackers 'casting a wide net' before 'narrowing in on targets of intelligence interest' reveals a two-stage attack model where mass compromise of civilian infrastructure serves as a hunting ground for high-value targets. This generalizes beyond this specific incident: state cyber operations are increasingly treating mass-market infrastructure as persistent beachheads rather than pursuing only targeted intrusions.