Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Home/CyberSecurity News/Russian Hackers Exploit Routers in Massive DNS Hijacking Attack
CyberSecurity News

Russian Hackers Exploit Routers in Massive DNS Hijacking Attack

Key Takeaways A Russian state-sponsored threat actor, Forest Blizzard (APT28), is conducting a large-scale DNS hijacking campaign. The attack targets vulnerable small office/home office (SOHO)...

David kimber
David kimber
April 7, 2026 4 Min Read
32 0

Key Takeaways

  • A Russian state-sponsored threat actor, Forest Blizzard (APT28), is conducting a large-scale DNS hijacking campaign.
  • The attack targets vulnerable small office/home office (SOHO) routers to redirect DNS traffic and potentially intercept encrypted communications.
  • Over 200 organizations and 5,000 consumer devices have already been compromised, with high-value targets facing Adversary-in-the-Middle (AiTM) attacks.
  • Microsoft recommends immediate actions including firmware updates, credential changes, and enabling certificate warnings.

A sophisticated campaign orchestrated by Forest Blizzard, a Russian military-linked threat group, is actively exploiting home and small-office routers to execute widespread DNS hijacking and intercept encrypted communications. This operation has already impacted more than 200 organizations and compromised over 5,000 consumer devices, according to recent intelligence.

Table Of Content

  • Key Takeaways
  • Router Compromise and DNS Hijacking
  • Adversary-in-the-Middle (AiTM) Attacks on TLS Connections
  • What You Should Do

Forest Blizzard, also known as APT28 or Strontium, is a persistent threat actor with a documented history of operating in direct support of the Russian government’s foreign policy and intelligence objectives.

Microsoft observed the campaign in action since at least August 2023. Forest Blizzard and its sub-group, Storm-2754, have been systematically targeting vulnerable small office/home office (SOHO) devices—common routers found in residential and remote work environments—to establish a clandestine intelligence collection infrastructure that is challenging to detect.

Microsoft Threat Intelligence has confirmed that no Microsoft-owned assets or services were compromised during these attacks.

Router Compromise and DNS Hijacking

The initial phase of the attack involves Forest Blizzard gaining unauthorized access to inadequately secured SOHO routers. Once inside, the group surreptitiously modifies the routers’ default network settings, replacing legitimate DNS resolver configurations with DNS servers under their control.

Because endpoint devices—such as laptops, smartphones, and workstations—automatically acquire network configurations from routers via the Dynamic Host Configuration Protocol (DHCP), any device connecting through a compromised router unwittingly begins forwarding its DNS requests to infrastructure controlled by Russian intelligence.

To facilitate DNS resolution, Forest Blizzard is assessed with high confidence to be leveraging dnsmasq. This legitimate, widely deployed lightweight DNS forwarding and DHCP utility, often integrated into home routers, is repurposed by the attackers to intercept and respond to DNS queries on port 53. This tactic allows the threat actor to passively monitor every domain lookup made by thousands of victims without triggering typical network intrusion alerts.

Adversary-in-the-Middle (AiTM) Attacks on TLS Connections

For a select group of high-priority targets, Forest Blizzard has escalated its operations beyond passive DNS collection to active Adversary-in-the-Middle (AiTM) attacks against Transport Layer Security (TLS) connections. The complete attack sequence operates as follows:

  • The compromised router redirects the victim’s DNS query to the attacker-controlled resolver.
  • The malicious resolver then returns a spoofed IP address, directing the victim’s device to infrastructure controlled by the actor instead of the legitimate service.
  • The victim’s device attempts to establish a TLS connection with the actor’s server, which presents an invalid, spoofed TLS certificate impersonating a legitimate Microsoft service.
  • If the victim disregards browser or application warnings about the invalid certificate, the TLS handshake proceeds.
  • Forest Blizzard can then intercept the underlying plaintext traffic, potentially including sensitive data like emails, credentials, and cloud-hosted content.

Microsoft confirmed AiTM attacks specifically targeting Microsoft Outlook on the web domains, as well as non-Microsoft government servers in at least three African nations. In these instances, DNS requests were intercepted, and subsequent data collection was observed.

The campaign has affected organizations across critical sectors including government, information technology, telecommunications, and energy—all areas historically aligned with Russian military intelligence collection priorities. While the router-level compromise spans thousands of consumer devices, the TLS AiTM component appears to be deployed selectively against organizations deemed to possess the highest intelligence value, indicating a disciplined, tiered approach to exploitation.

This marks the first time Microsoft has observed Forest Blizzard employing DNS hijacking at scale, specifically to facilitate TLS AiTM attacks after exploiting edge devices. While SOHO device targeting by Russian actors is not new—the UK’s NCSC has previously documented similar APT28 router exploitation tactics—the current integration of passive DNS collection with selective active interception represents a dangerous evolution in their operational capabilities.

What You Should Do

  • Update Router Firmware: Immediately reboot and update SOHO router firmware to patch known vulnerabilities.
  • Change Default Credentials: Change default administrative credentials on all home and office routers without delay.
  • Audit DNS Settings: Regularly audit DNS settings on Windows machines and other devices for any unauthorized modifications to DNS resolver addresses.
  • Enable Certificate Warnings: Ensure certificate warnings are enabled in browsers and applications, and strictly train employees never to bypass TLS certificate errors.
  • Deploy Detection Rules: Utilize Microsoft Defender detection rules to proactively hunt for anomalous DNS modifications within endpoint telemetry.
  • Segment Traffic & Enforce VPN: Segment remote worker traffic and enforce VPN usage to reduce the exposure of cloud credentials over potentially compromised home networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Fake Installers Drop RATs and Monero Miners in Ongoing Malware Campaign

Next Post

ClickFix Lure Drops Node.js RAT, Tor C2 on Windows Users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us