Russian intelligence-linked threat actor Forest Blizzard (APT28) has been silently weaponizing millions of home and small-office routers since at least August 2025, hijacking DNS traffic and intercepting encrypted cloud communications in a sweeping global espionage operation that has already compromised over 200 organizations and 5,000 consumer devices.
Microsoft Threat Intelligence published detailed findings this week, exposing the full attack chain behind the campaign, attributed to Forest Blizzard and its sub-group, Storm-2754, entities tied to Russia’s General Staff Main Intelligence Directorate (GRU) military unit 26165.
The operation, internally tracked as FrostArmada, was subsequently disrupted through a coordinated international law enforcement effort involving the U.S. Department of Justice, the FBI, and private sector partners, including Microsoft.
The Attack Chain
The intrusion begins at the most overlooked layer of any network: the edge router. Forest Blizzard gained unauthorized remote administrative access to poorly secured SOHO devices, primarily MikroTik and TP-Link routers, and silently replaced the default DNS resolver configuration with actor-controlled DNS servers.
Because endpoint devices such as laptops, phones, and workstations automatically inherit network configurations from their routers via the Dynamic Host Configuration Protocol (DHCP), every device connecting through a compromised router unknowingly began forwarding its DNS queries to Russian intelligence-controlled infrastructure.
To execute this DNS manipulation at scale, Forest Blizzard almost certainly leveraged dnsmasq, a legitimate, lightweight network utility used in home routers that provides DNS forwarding, caching, and DHCP services listening on port 53 for incoming DNS queries.
This approach is particularly insidious because dnsmasq is a trusted, native tool embedded in millions of routers worldwide, making its malicious use difficult to detect through standard endpoint security products.
In most cases, DNS requests were transparently proxied through the actor’s infrastructure, meaning victims received legitimate DNS responses without any visible service disruption, maintaining the compromise invisibly for months.
Microsoft’s telemetry confirmed over 200 targeted organizations and 5,000 consumer devices within its visibility; Lumen Technologies’ broader telemetry paints an even more alarming picture, revealing more than 18,000 moderate-confidence victim IPs spanning 120 countries at the campaign’s peak in December 2025.
TLS Adversary-in-the-Middle
DNS hijacking was only the first stage. In a more targeted subset of compromises, Forest Blizzard deployed adversary-in-the-middle (AiTM) attacks against Transport Layer Security (TLS) connections, representing the first time Microsoft has ever observed this actor combining DNS hijacking with TLS AiTM at scale.
The technique works as follows: once the actor controlled DNS resolution, it spoofed DNS responses for specifically targeted domains, forcing victims to connect to Forest Blizzard’s own infrastructure instead of the legitimate service. The malicious server then presented an invalid TLS certificate impersonating the legitimate Microsoft service.
If the user dismissed the certificate warning, a common occurrence in enterprise environments with misconfigured proxies, Forest Blizzard could intercept the underlying plaintext traffic, potentially capturing emails, OAuth tokens, credentials, and sensitive cloud-hosted content.
Microsoft confirmed two distinct AiTM target classes:
- Microsoft 365 / Outlook on the web domains: Forest Blizzard intercepted TLS sessions against Microsoft-hosted services, enabling theft of Microsoft account credentials and session tokens.
- Government servers in Africa: At least three government organizations in African nations were targeted in separate AiTM operations in which DNS requests were intercepted and follow-on data collection conducted consistent with GRU foreign intelligence collection priorities.
The sectors most heavily impacted include government agencies, information technology providers, telecommunications companies, and energy organizations, precisely the targets of highest intelligence value for Russian military foreign policy initiatives.
Targeted organizations included ministries of foreign affairs, law enforcement agencies, and third-party email and cloud service providers across North Africa, Central America, Southeast Asia, and Europe.
Why SOHO Devices Are the Perfect Attack Surface
For nation-state actors, compromising edge devices upstream of larger enterprise targets provides a strategic advantage: less closely monitored assets that serve as a pivot point into managed enterprise environments.
Home routers sit outside corporate security perimeters, are rarely updated, often have default credentials, and generate little to no security telemetry.
This is especially critical as remote and hybrid work has permanently blurred the boundary between home networks and corporate cloud environments.
While SOHO device targeting is not a new TTP for Russian intelligence actors, this campaign marks an unprecedented scale of DNS hijacking specifically engineered to enable TLS interception a significant escalation in capability and ambition.
Mitigation and Defense Recommendations
Microsoft Threat Intelligence recommends the following immediate protective measures:
Defending Against DNS Hijacking:
- Enforce domain-name-based network access controls using Zero Trust DNS (ZTDNS) on Windows endpoints to ensure DNS resolves only through trusted servers
- Block known malicious domains and maintain detailed DNS logs to detect anomalous DNS traffic patterns
- Audit and update all SOHO router firmware immediately; eliminate default credentials and turn off unnecessary remote management interfaces
- Avoid deploying home router solutions in corporate or hybrid work environments
Defending Against AiTM and Credential Theft:
- Strictly enforce phishing-resistant MFA (passkeys, FIDO2 hardware keys) for all accounts, particularly privileged ones AiTM frameworks can bypass standard TOTP-based MFA
- Implement Conditional Access policies with sign-in risk evaluation in Microsoft Entra ID, configured to block or step-up authentication on medium or higher risk sign-ins
- Deploy continuous access evaluation to invalidate stolen session tokens in near-real-time
- Integrate all identity data, including hybrid on-premises directories, into a centralized SIEM or Microsoft Entra to detect anomalous access patterns correlated with known Forest Blizzard indicators.
Detection Guidance: Microsoft Defender for Endpoint customers should monitor for alerts tagged “Forest Blizzard Actor activity detected” and “Storm-2754 activity.” Microsoft Entra ID Protection’s investigations found that ThreatIntelligence risk event type flags unusual sign-in behavior consistent with known Forest Blizzard attack patterns.
Frequently Asked Questions
Q1. What is Forest Blizzard?
Forest Blizzard (APT28/Fancy Bear/Strontium) is a Russian GRU military intelligence cyber espionage group responsible for some of the world’s most sophisticated state-sponsored attacks.
Q2. How does DNS hijacking enable espionage without detection?
By redirecting DNS queries to actor-controlled resolvers, attackers gain passive visibility into all domains a victim accesses without altering traffic in a way users typically notice.
Q3. Can standard MFA stop Forest Blizzard’s AiTM attacks?
No traditional TOTP-based MFA is bypassable via AiTM; only phishing-resistant MFA methods such as passkeys or FIDO2 hardware tokens provide effective protection against this technique.
Q4. Which router brands were specifically targeted in this campaign? MikroTik and TP-Link SOHO routers were the primary device types identified as compromised in Forest Blizzard’s FrostArmada operation.
Site: thecybrdef.com
About the Author
