Russian Hackers Exploit Home and Small-Office Routers in Massive DNS Hijacking Campaign
A sophisticated cyber-espionage campaign orchestrated by Forest Blizzard, a Russian military-affiliated threat actor also known as APT28 or Strontium, has been actively compromising home and small-office routers to hijack DNS traffic and intercept encrypted communications. Since at least August 2025, this operation has affected over 200 organizations and 5,000 consumer devices, establishing a covert intelligence-gathering infrastructure.
Understanding the Threat Actor
Forest Blizzard operates in direct support of the Russian government’s foreign policy and intelligence objectives. Their recent activities have focused on exploiting vulnerabilities in small office/home office (SOHO) routers—devices commonly found in homes and remote workplaces—to facilitate widespread surveillance and data interception.
Mechanics of the Attack
The attack sequence initiated by Forest Blizzard involves unauthorized access to inadequately secured SOHO routers, followed by the silent alteration of their default network configurations. Specifically, the attackers replace the routers’ legitimate DNS resolver settings with those controlled by the threat actor.
Devices connected to these compromised routers automatically inherit the malicious DNS settings via the Dynamic Host Configuration Protocol (DHCP). Consequently, all DNS queries from these devices are redirected to servers under the control of Russian intelligence, allowing the attackers to monitor and manipulate internet traffic without triggering typical security alerts.
Exploitation of DNSMasq
To facilitate DNS resolution, Forest Blizzard is assessed with high confidence to be leveraging dnsmasq, a legitimate, widely deployed lightweight DNS forwarding and DHCP utility built into many home routers, repurposed to intercept and respond to DNS queries on port 53. This enables the attackers to passively observe every domain lookup made by thousands of victims without triggering the alarms typically associated with direct network intrusions.
Adversary-in-the-Middle (AiTM) Attacks on TLS Connections
Beyond passive DNS monitoring, Forest Blizzard has escalated its operations to active Adversary-in-the-Middle (AiTM) attacks against Transport Layer Security (TLS) connections for select high-priority targets. The attack chain unfolds as follows:
1. The compromised router redirects the victim’s DNS query to the actor-controlled resolver.
2. The malicious resolver returns a spoofed IP address, directing the victim’s device to actor-controlled infrastructure instead of the legitimate service.
3. The device initiates a TLS connection with the actor’s server, which presents an invalid, spoofed TLS certificate impersonating a legitimate service.
4. If the victim disregards browser or application warnings about the invalid certificate, the TLS handshake completes.
5. Forest Blizzard then intercepts the underlying plaintext traffic, potentially capturing emails, credentials, and sensitive cloud-hosted content.
Microsoft has confirmed AiTM attacks targeting Microsoft Outlook on the web domains, as well as non-Microsoft government servers in at least three African nations, where DNS requests were intercepted, and follow-on data collection was conducted.
Scope and Impact
The campaign has impacted organizations across government, information technology, telecommunications, and energy sectors—all historically consistent with Russian military intelligence collection priorities. While the router-level compromise spans thousands of consumer devices, the TLS AiTM component appears to be deployed selectively against organizations deemed to have the highest intelligence value, reflecting a disciplined, tiered approach to exploitation.
Mitigation Strategies
To defend against such sophisticated attacks, individuals and organizations should implement the following measures:
– Regular Firmware Updates: Ensure that router firmware is up-to-date to patch known vulnerabilities.
– Strong Authentication: Replace default credentials with strong, unique passwords to prevent unauthorized access.
– Disable Remote Management: Turn off remote management features unless absolutely necessary to reduce exposure.
– Network Monitoring: Implement monitoring solutions to detect unusual DNS traffic patterns indicative of hijacking.
– User Education: Train users to recognize and respond appropriately to security warnings, such as invalid TLS certificates.
Conclusion
The Forest Blizzard campaign underscores the critical need for robust security practices in managing network devices. By exploiting common vulnerabilities in SOHO routers, state-sponsored actors can establish extensive surveillance networks, compromising the confidentiality and integrity of sensitive communications. Proactive measures and heightened awareness are essential to mitigate such threats and protect both individual and organizational assets.
