Russian military-linked hackers are actively compromising poorly secured home and small-office routers to hijack internet traffic and spy on organizations worldwide.
Microsoft Threat Intelligence recently exposed this massive global campaign by a group known as Forest Blizzard, which has already impacted over 200 organisations and 5,000 consumer devices.
Forest Blizzard is a sophisticated state-sponsored threat actor that operates in direct support of Russian government intelligence and foreign policy goals.
Also tracked by cybersecurity researchers under names like APT28 or Strontium, this group and its subgroup Storm-2754 have been exploiting insecure small office routers since August 2025.
These common edge devices are frequently unpatched and poorly monitored, making them a perfect stepping stone for hackers to pivot seamlessly into larger enterprise networks.
Router Compromise Methods
The attack chain begins when the hackers gain unauthorized access to vulnerable routers and maliciously alter their default network configurations.
The attackers manipulate the Domain Name System (DNS) settings, forcing the compromised routers to send all incoming internet traffic requests directly to malicious servers.
This specific tactic enables persistent, passive network visibility and reconnaissance at an unprecedented scale for the Russian intelligence actors.
Everyday devices like laptops and mobile phones automatically receive their network settings from the router, meaning every connected device unknowingly routes its traffic through the attacker’s infrastructure.
The hackers rely on a common, legitimate networking utility called dnsmasq to handle this illicit traffic forwarding.
By listening on port 53 for incoming DNS queries, the attackers can silently monitor the compromised networks without triggering any immediate security alarms.
Adversary-in-the-Middle Attacks
Once the initial DNS traffic is successfully hijacked, Forest Blizzard selectively launches Adversary-in-the-Middle (AiTM) attacks against high-value targets in the government, IT, and energy sectors.
The hackers force the targeted endpoints to connect to spoofed versions of legitimate Microsoft services by presenting an invalid security certificate to the user.
If the compromised user ignores the browser’s security warning, the attackers can actively intercept sensitive emails, passwords, and cloud data hidden within the encrypted connection.
While the initial router hijacking casts a very wide net, the follow-on AiTM attacks are highly targeted against specific foreign intelligence priorities.
Microsoft noted that these specific data interceptions have included advanced operations against non-Microsoft hosted servers in at least three different government organizations in Africa.
An attacker holding an AiTM position could easily escalate these covert operations in the future to deploy destructive malware or initiate network denial-of-service attacks against the victims.
To mitigate these escalating threats, organizations must immediately recognize that unmanaged home routers used by remote workers represent a critical security vulnerability.
Security experts strongly advise enforcing Zero Trust DNS policies on all corporate laptops to ensure remote devices only resolve web addresses through trusted corporate servers.
Furthermore, companies should actively avoid using consumer-grade router solutions in any corporate environments to drastically reduce their overall network attack surface.
Identity Protection Strategies
Companies should fully integrate their identity management into a centralized platform and carefully synchronize all user accounts to maintain a secure digital boundary.
Organizations must strictly enforce phishing-resistant multifactor authentication and utilize smart conditional access policies to block risky sign-in attempts automatically.
Implementing these comprehensive identity protections can effectively prevent a compromised home Wi-Fi connection from leading to a devastating corporate data breach.
Organizations utilizing advanced security platforms like Microsoft Defender can proactively hunt for anomalous DNS modifications on their endpoint devices.
While resetting the altered DNS settings will stop the immediate traffic redirection, it will not protect organizations if the attackers have already successfully stolen user credentials.
Therefore, security teams must maintain detailed network logs and implement continuous access evaluation protocols to detect and neutralize post-compromise behavior rapidly.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
