Russian cyber actors, known as Forest Blizzard, have initiated a massive campaign targeting home and small-office routers, compromising DNS traffic to intercept encrypted data. This campaign has already affected over 200 organizations and 5,000 consumer devices.
Background on Forest Blizzard
Forest Blizzard, also identified as APT28 or Strontium, operates with support from the Russian government, aligning with their foreign policy and intelligence goals. According to Microsoft, this operation has been ongoing since at least August 2025. The group, including its sub-group Storm-2754, systematically targets vulnerable small office/home office (SOHO) routers, creating a covert intelligence network.
Microsoft’s threat analysis assures that their assets have remained uncompromised during these attacks.
Technical Aspects of the Attack
The attack commences with unauthorized access to poorly secured routers, where the default network settings are altered. Forest Blizzard replaces legitimate DNS settings with their own servers, redirecting DNS queries to their infrastructure. Devices connected to these compromised routers unknowingly send DNS requests to these malicious servers.
The group utilizes dnsmasq, a common DNS and DHCP utility in many routers, to intercept DNS queries. This allows them to monitor domain lookups without triggering typical network security alerts.
Advanced Attacks on Secure Connections
For high-priority targets, Forest Blizzard escalates to Adversary-in-the-Middle (AiTM) attacks on Transport Layer Security (TLS) connections. This involves redirecting DNS queries to actor-controlled resolvers, returning spoofed IP addresses to victims’ devices. A TLS connection is then initiated with a server using a fake certificate.
If the victim ignores security warnings about the certificate, the connection proceeds, allowing Forest Blizzard to intercept sensitive information such as emails and credentials. These attacks have been confirmed against Microsoft Outlook and government servers in several African countries.
The campaign impacts sectors like government, IT, telecommunications, and energy, reflecting typical Russian intelligence priorities. While the router-level compromise is widespread, the TLS AiTM component targets specific high-value organizations, showcasing a strategic approach.
Preventive Measures and Recommendations
Microsoft advises immediate actions to mitigate these threats:
- Reboot and update router firmware to close known vulnerabilities.
- Change default router credentials to strengthen security.
- Check Windows DNS settings for unauthorized changes.
- Ensure employees do not bypass TLS certificate warnings.
- Use Microsoft Defender to detect DNS anomalies.
- Segment remote traffic and enforce VPN usage to protect cloud credentials.
Organizations should consider unmanaged SOHO devices as potential attack vectors. Forest Blizzard’s activities highlight the necessity of robust cybersecurity practices for remote and hybrid work environments.
Stay informed with our daily cybersecurity updates on Google News, LinkedIn, and X. Contact us to share your cybersecurity stories.
