Russian Hackers Exploit Routers in Massive DNS Hijacking Attack
Key Takeaways A Russian state-sponsored threat actor, Forest Blizzard (APT28), is conducting a large-scale DNS hijacking campaign. The attack targets vulnerable small office/home office (SOHO)...
Key Takeaways
- A Russian state-sponsored threat actor, Forest Blizzard (APT28), is conducting a large-scale DNS hijacking campaign.
- The attack targets vulnerable small office/home office (SOHO) routers to redirect DNS traffic and potentially intercept encrypted communications.
- Over 200 organizations and 5,000 consumer devices have already been compromised, with high-value targets facing Adversary-in-the-Middle (AiTM) attacks.
- Microsoft recommends immediate actions including firmware updates, credential changes, and enabling certificate warnings.
A sophisticated campaign orchestrated by Forest Blizzard, a Russian military-linked threat group, is actively exploiting home and small-office routers to execute widespread DNS hijacking and intercept encrypted communications. This operation has already impacted more than 200 organizations and compromised over 5,000 consumer devices, according to recent intelligence.
Table Of Content
Forest Blizzard, also known as APT28 or Strontium, is a persistent threat actor with a documented history of operating in direct support of the Russian government’s foreign policy and intelligence objectives.
Microsoft observed the campaign in action since at least August 2023. Forest Blizzard and its sub-group, Storm-2754, have been systematically targeting vulnerable small office/home office (SOHO) devices—common routers found in residential and remote work environments—to establish a clandestine intelligence collection infrastructure that is challenging to detect.
Microsoft Threat Intelligence has confirmed that no Microsoft-owned assets or services were compromised during these attacks.
Router Compromise and DNS Hijacking
The initial phase of the attack involves Forest Blizzard gaining unauthorized access to inadequately secured SOHO routers. Once inside, the group surreptitiously modifies the routers’ default network settings, replacing legitimate DNS resolver configurations with DNS servers under their control.
Because endpoint devices—such as laptops, smartphones, and workstations—automatically acquire network configurations from routers via the Dynamic Host Configuration Protocol (DHCP), any device connecting through a compromised router unwittingly begins forwarding its DNS requests to infrastructure controlled by Russian intelligence.
To facilitate DNS resolution, Forest Blizzard is assessed with high confidence to be leveraging dnsmasq. This legitimate, widely deployed lightweight DNS forwarding and DHCP utility, often integrated into home routers, is repurposed by the attackers to intercept and respond to DNS queries on port 53. This tactic allows the threat actor to passively monitor every domain lookup made by thousands of victims without triggering typical network intrusion alerts.
Adversary-in-the-Middle (AiTM) Attacks on TLS Connections
For a select group of high-priority targets, Forest Blizzard has escalated its operations beyond passive DNS collection to active Adversary-in-the-Middle (AiTM) attacks against Transport Layer Security (TLS) connections. The complete attack sequence operates as follows:
- The compromised router redirects the victim’s DNS query to the attacker-controlled resolver.
- The malicious resolver then returns a spoofed IP address, directing the victim’s device to infrastructure controlled by the actor instead of the legitimate service.
- The victim’s device attempts to establish a TLS connection with the actor’s server, which presents an invalid, spoofed TLS certificate impersonating a legitimate Microsoft service.
- If the victim disregards browser or application warnings about the invalid certificate, the TLS handshake proceeds.
- Forest Blizzard can then intercept the underlying plaintext traffic, potentially including sensitive data like emails, credentials, and cloud-hosted content.
Microsoft confirmed AiTM attacks specifically targeting Microsoft Outlook on the web domains, as well as non-Microsoft government servers in at least three African nations. In these instances, DNS requests were intercepted, and subsequent data collection was observed.
The campaign has affected organizations across critical sectors including government, information technology, telecommunications, and energy—all areas historically aligned with Russian military intelligence collection priorities. While the router-level compromise spans thousands of consumer devices, the TLS AiTM component appears to be deployed selectively against organizations deemed to possess the highest intelligence value, indicating a disciplined, tiered approach to exploitation.
This marks the first time Microsoft has observed Forest Blizzard employing DNS hijacking at scale, specifically to facilitate TLS AiTM attacks after exploiting edge devices. While SOHO device targeting by Russian actors is not new—the UK’s NCSC has previously documented similar APT28 router exploitation tactics—the current integration of passive DNS collection with selective active interception represents a dangerous evolution in their operational capabilities.
What You Should Do
- Update Router Firmware: Immediately reboot and update SOHO router firmware to patch known vulnerabilities.
- Change Default Credentials: Change default administrative credentials on all home and office routers without delay.
- Audit DNS Settings: Regularly audit DNS settings on Windows machines and other devices for any unauthorized modifications to DNS resolver addresses.
- Enable Certificate Warnings: Ensure certificate warnings are enabled in browsers and applications, and strictly train employees never to bypass TLS certificate errors.
- Deploy Detection Rules: Utilize Microsoft Defender detection rules to proactively hunt for anomalous DNS modifications within endpoint telemetry.
- Segment Traffic & Enforce VPN: Segment remote worker traffic and enforce VPN usage to reduce the exposure of cloud credentials over potentially compromised home networks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.