GCHQ
UK signals intelligence and cyber security agency; parent organisation of the NCSC, which issued APT28 advisory and CitrixBleed 3 guidance.
Last refreshed: 17 April 2026
What intelligence underpins GCHQ's claim that Russia's military is behind the router attacks?
Timeline for GCHQ
Mentioned in: CitrixBleed 3 lands on SAML broker
Cybersecurity: Threats and Defences- Did GCHQ blame Russia for the router hacking campaign?
- Yes. Through NCSC, GCHQ published an advisory on 7 April 2026 attributing the SOHO router DNS hijacking campaign to APT28, assessed with 'almost certain' confidence to be Russia's GRU Unit 26165.Source: NCSC / GCHQ advisory PSA260407
Background
GCHQ, the UK's signals intelligence and cyber security agency, is the parent organisation of the National Cyber Security Centre (NCSC). Through NCSC, GCHQ issued the attribution-backed APT28 advisory on 7 April 2026 identifying GRU Unit 26165 as responsible for DNS hijacking via SOHO routers for Microsoft 365 credential theft, the CitrixBleed 3 advisory on 25 March, and the joint NCSC-AIVD advisory on state-linked messaging-app targeting on 31 March and 9 March 2026.
GCHQ is responsible for signals intelligence, cyber defence and UK national cyber security. The NCSC, which sits within GCHQ and was established in 2016, is its outward-facing cyber security authority, responsible for national-level threat advisories, Incident Response coordination and guidance to industry. GCHQ's intelligence collection underpins the attribution assessments published through NCSC.
The APT28 advisory is one of the higher-confidence attribution actions in this update: the NCSC assessment that APT28 is "almost certainly" GRU Unit 26165 reflects the classified intelligence basis that GCHQ provides to NCSC's published advisories. For UK critical-infrastructure operators, NCSC advisories carrying GCHQ-sourced attribution carry higher evidentiary weight than commercial threat-intelligence vendor attributions.
