- Forest Blizzard (APT28) hijacks SOHO devices for espionage
- Attackers reroute DNS traffic to enable surveillance and AiTM attacks
- Campaign impacts 200+ organizations across government, IT, telecom, and energy sectors
Russian state-sponsored threat actors are targeting poorly protected Small Office/Home Office (SOHO) devices and using them to pivot into enterprise and corporate environments, experts have claimed.
A report from Microsoft Threat Intelligence has warned about a large-scale attack by Forest Blizzard (AKA APT28) targeting TP-Link routers.
So far, more than 200 organizations and more than 5,000 consumer devices have been impacted by the attack, Microsoft said, noting the group is mostly interested in cyber-espionage and intelligence gathering.
What happened?
The campaign apparently started in August 2025, and instead of targeting corporate networks directly, Forest Blizzard focused on edge devices such as home routers, which often lack strong security controls and oversight present in enterprise environments.
Microsoft did not explicitly say how the attackers break into these endpoints but suggests they might have default or easy-to-crack passwords or known but unpatched vulnerabilities that can easily be exploited.
Once inside, they change the devices’ configuration to route Domain Name System (DNS) traffic through infrastructure they control, allowing them to monitor, and even influence, how infected devices resolve domain names.
By operating at this upstream level, APT28 gained broad visibility into network activity across both consumer and enterprise environments. This not only allows them to conduct passive surveillance at scale but also prepares the terrain for more targeted follow-on attacks against organizations of higher value.
The DNS acts like the internet’s address book. So, instead of sending requests to legitimate DNS servers, compromised devices are actually being redirected to servers under the attackers’ control. In more targeted cases, the threat actors would manipulate DNS responses to redirect victims to fake versions of legitimate services, resulting in what’s known as an Adversary-in-the-Middle (AitM) attack.
This, in turn, allows APT28’s operatives to intercept data as it moves between the user and the real service.
If the victim ignores browser warnings about invalid security certificates (which, truth be told, many of us often do), the attackers may be able to capture sensitive information, including login credentials and emails.
Who is targeted?
The campaign affects a wide range of sectors, Microsoft stressed, including government agencies, information technology, telecommunications, and energy. While thousands of home and small office devices were compromised, Forest Blizzard appears to use the most intrusive follow-on attacks selectively, focusing on high-value targets.
They use AitM attacks to intercept emails and cloud data, but the sheer number of compromised devices give them a lot of maneuver space, for possibly larger-scale campaigns in the future.
“While the number of organizations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale AiTM attacks, which might include active traffic interception,” Microsoft warned.
“Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”
To defend against DNS hijacking, Microsoft advises organizations enforce trusted DNS servers, block malicious domains, maintain DNS logs, and avoid SOHO devices in corporate networks.
For AiTM and credential theft, they recommend centralizing identity management, enabling Single Sign-On, enforcing multifactor authentication (MFA) and passkeys, applying Conditional Access policies, and monitoring risky sign-ins with continuous access evaluation. Organizations should log identity activity, protect privileged accounts with phishing-resistant MFA, and follow Microsoft’s incident response best practices for recovering from systemic identity compromises. Network protection via Microsoft Defender for Endpoint is also recommended to block malicious sites.
