Russian state-sponsored hackers, known as APT28, have been compromising routers to steal sensitive information, according to a recent warning from the UK's National Cyber Security Centre. The attackers are leveraging virtual private servers, which they have modified to function as malicious Domain Name System (DNS) servers, allowing them to intercept and manipulate internet traffic. This tactic enables APT28 to hijack user credentials and other sensitive data. The use of compromised routers as malicious DNS servers is a significant escalation of APT28's activities, highlighting the group's continued sophistication and adaptability. The UK's warning underscores the shifting threat landscape, where state-aligned activity is becoming increasingly prevalent, requiring organizations to reassess their security posture1. This development matters to security practitioners because it signals a geopolitical threat model that demands a distinct response strategy, one that accounts for the unique motivations and capabilities of state-sponsored actors.