Mass router hijack hits 18,000 IPs

A router is the traffic cop for everything in a home or office network, and if you change its settings you can quietly redirect every laptop and phone behind it. That is what investigators say Russian military hackers did in a campaign that led the United States on April 7, 2026 to disrupt part of a network of compromised small office and home office routers. (justice.gov) The setting they changed was the Domain Name System, which is the internet’s address book. When your device asks “where is outlook.office.com,” a poisoned router can answer with the attacker’s address first instead of the real one. (microsoft.com) That trick is called Domain Name System hijacking, and it works upstream of the victim’s computer. Microsoft said the group it tracks as Forest Blizzard used vulnerable small office and home office gear to hijack Domain Name System requests and collect network traffic at scale. (microsoft.com) The British National Cyber Security Centre said the attackers overwrote Dynamic Host Configuration Protocol and Domain Name System settings on exposed routers so every connected device inherited the bad instructions automatically. The agency said the campaign was opportunistic, meaning the hackers cast a very wide net first and then filtered for people worth spying on later. (ncsc.gov.uk) The targets were not just random households. The Justice Department said the Russian unit used the hijacked routers against people in the military, government, and critical infrastructure sectors, and the Federal Bureau of Investigation said the same operation was aimed at sensitive military, government, and infrastructure information. (justice.gov) (ic3.gov) For most victims, nothing new had to be installed on the computer. The attackers sat in the middle of the connection, and for selected sites they returned fake Domain Name System records that imitated real services such as Microsoft Outlook Web Access so they could capture passwords, emails, and authentication tokens. (justice.gov) (ic3.gov) Microsoft said it identified more than 200 organizations and 5,000 consumer devices affected by the malicious Domain Name System infrastructure, while CyberScoop reported the broader espionage network spanned about 18,000 devices. The reporting around the campaign also places victims in roughly 120 countries, which shows how a cheap office router can become part of a global spying system. (microsoft.com) (cyberscoop.com) The hardware was not exotic. U.S. and allied agencies said the group exploited known flaws in internet-facing routers, including TP-Link devices hit through CVE-2023-50224, and then reused those boxes as attacker-controlled Domain Name System resolvers. (ic3.gov) (media.defense.gov) This is why security teams worry about “edge devices,” which is the boring name for the equipment sitting between a company and the public internet. Microsoft said Forest Blizzard used those less-monitored devices as stepping stones into larger environments, then used the access to support attacks on encrypted web sessions. (microsoft.com) The immediate fixes are old-fashioned and unglamorous. The Federal Bureau of Investigation told owners to replace unsupported routers, install the latest firmware, change default usernames and passwords, disable remote management from the internet, and treat browser certificate warnings as real danger signs instead of click-through annoyances. (ic3.gov) The deeper lesson is that the attackers went after the network before they went after the person. If you control the address book and the traffic cop, you do not need malware on every laptop to steal a lot of credentials. (microsoft.com) (ncsc.gov.uk)