A large-scale campaign by Forest Blizzard, a Russian military-linked threat actor, targeting home and small-office routers to hijack DNS traffic and intercept encrypted communications with over 200 organizations and 5,000 consumer devices already compromised.
Forest Blizzard (also tracked as APT28 or Strontium) is a threat actor operating in direct support of the Russian government’s foreign policy and intelligence objectives.
Microsoft observed that the campaign is active since at least August 2025, Forest Blizzard and its sub-group Storm-2754 have been systematically targeting vulnerable small office/home office (SOHO) devices, everyday routers found in homes and remote workplaces, to build a covert, hard-to-detect intelligence collection infrastructure.
Microsoft Threat Intelligence confirmed that no Microsoft-owned assets or services were compromised.
Router Compromise and DNS Hijacking
The attack chain begins with Forest Blizzard gaining unauthorized access to poorly secured SOHO routers and silently modifying their default network settings. Specifically, the actor replaces the router’s legitimate DNS resolver configuration with actor-controlled DNS servers.
Since endpoint devices, such as laptops, phones, and workstations, automatically inherit network configuration from routers via the Dynamic Host Configuration Protocol (DHCP), every device connecting through a compromised router unknowingly begins forwarding its DNS requests to Russian intelligence-controlled infrastructure.
To perform DNS resolution, Forest Blizzard is assessed with high confidence to be leveraging dnsmasq, a legitimate, widely deployed lightweight DNS forwarding and DHCP utility built into many home routers, repurposed to intercept and respond to DNS queries on port 53.
This means the actor can passively observe every domain lookup made by thousands of victims without triggering the alarms typically associated with direct network intrusions.
Adversary-in-the-Middle (AiTM) Attacks on TLS Connections
For a select subset of high-priority targets, Forest Blizzard escalated beyond passive DNS collection to active Adversary-in-the-Middle (AiTM) attacks against Transport Layer Security (TLS) connections. The full attack chain, illustrated in the diagram above, works as follows:
- The compromised router redirects the victim’s DNS query to the actor-controlled resolver
- The malicious resolver returns a spoofed IP address, directing the victim’s device to actor-controlled infrastructure instead of the legitimate service
- The device initiates a TLS connection with the actor’s server, which presents an invalid, spoofed TLS certificate impersonating a legitimate Microsoft service
- If the victim ignores the browser or application warning about the invalid certificate, the TLS handshake completes
- Forest Blizzard then intercepts the underlying plaintext traffic — potentially including emails, credentials, and sensitive cloud-hosted content.
Microsoft confirmed AiTM attacks targeting Microsoft Outlook on the web domains as well as non-Microsoft government servers in at least three African nations, where DNS requests were intercepted, and follow-on data collection was conducted.
The campaign has impacted organizations across government, information technology, telecommunications, and energy sectors — all historically consistent with Russian military intelligence collection priorities.
While the router-level compromise spans thousands of consumer devices, the TLS AiTM component appears to be deployed selectively against organizations deemed to have the highest intelligence value, reflecting a disciplined, tiered approach to exploitation.
This marks the first time Microsoft has observed Forest Blizzard deploying DNS hijacking at scale, specifically to enable TLS AiTM attacks after exploiting edge devices.
SOHO device targeting itself is not new for Russian actors. The UK’s NCSC documented similar APT28 router exploitation tactics, but the integration of passive DNS collection with selective active interception represents a dangerous operational evolution.
Mitigations
Microsoft urges organizations and individuals to take the following immediate steps:
- Reboot and update SOHO router firmware to eliminate known vulnerabilities
- Change default credentials on all home and office routers immediately
- Audit DNS settings on Windows machines for unauthorized changes to DNS resolver addresses
- Enable certificate warnings and train employees never to bypass TLS certificate errors
- Deploy Microsoft Defender detection rules to hunt for anomalous DNS modifications in endpoint telemetry
- Segment remote worker traffic and enforce VPN usage to reduce exposure of cloud credentials over potentially compromised home networks
Organizations should treat unmanaged SOHO devices used by remote and hybrid employees as a viable attack surface — because for Forest Blizzard, they already are.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
