
GCHQ
UK signals intelligence and cyber security agency; parent organisation of the NCSC, which issued APT28 advisory and CitrixBleed 3 guidance.
Last refreshed: 17 April 2026
What intelligence underpins GCHQ's claim that Russia's military is behind the router attacks?
Timeline for GCHQ
Mentioned in: National Wealth Fund writes first defence cheque
UK Startups and InnovationMentioned in: Spaceflux sweeps NSOC, raises £3.5m to £9m
UK Startups and InnovationMentioned in: CitrixBleed 3 lands on SAML broker
Cybersecurity: Threats and DefencesDid GCHQ blame Russia for the router hacking campaign?
Background
GCHQ, the UK's signals intelligence and cyber security agency, is the parent organisation of the National Cyber Security Centre (NCSC). Through NCSC, GCHQ issued the attribution-backed APT28 advisory on 7 April 2026 identifying GRU Unit 26165 as responsible for DNS hijacking via SOHO routers for Microsoft 365 credential theft, the CitrixBleed 3 advisory on 25 March, and the joint NCSC-AIVD advisory on state-linked messaging-app targeting on 31 March and 9 March 2026.
GCHQ is responsible for signals intelligence, cyber defence and UK national cyber security. The NCSC, which sits within GCHQ and was established in 2016, is its outward-facing cyber security authority, responsible for national-level threat advisories, Incident Response coordination and guidance to industry. GCHQ's intelligence collection underpins the attribution assessments published through NCSC.
The APT28 advisory is one of the higher-confidence attribution actions in this update: the NCSC assessment that APT28 is "almost certainly" GRU Unit 26165 reflects the classified intelligence basis that GCHQ provides to NCSC's published advisories. For UK critical-infrastructure operators, NCSC advisories carrying GCHQ-sourced attribution carry higher evidentiary weight than commercial threat-intelligence vendor attributions.