Router hijacks hit 200+ organisations

A home or small-office router is the box that tells every phone and laptop where to send internet traffic, so changing that box can quietly change everything behind it. Microsoft said a Russian state hacking group called Forest Blizzard used that trick to affect more than 200 organisations and 5,000 consumer devices. (microsoft.com) The specific trick was changing the Domain Name System, which is the internet’s address book that turns names like Outlook into the right numeric destination. Microsoft said Forest Blizzard hijacked those lookups on compromised routers, which let the group watch traffic and redirect selected users without first breaking into the target company itself. (microsoft.com) The group did not start with big companies. Microsoft said it first compromised insecure edge devices used in homes and small offices, then used those upstream devices as cover to pivot toward larger enterprise networks. (microsoft.com) United States authorities tied the campaign to Main Intelligence Directorate Military Unit 26165, the Russian military hacking unit also known as APT28, Fancy Bear, and Forest Blizzard. The Justice Department said the actors had been exploiting known flaws since at least 2024 to steal credentials for thousands of TP-Link routers around the world. (justice.gov) Once a router was under their control, the attackers changed its settings so devices on that network would ask Russian-controlled servers for directions. The Justice Department said those servers usually filtered traffic automatically, then sent fake answers only for domains the group cared about. (justice.gov) For selected victims, those fake answers pointed people to lookalike services instead of the real one. The Justice Department said one impersonated target was Microsoft Outlook Web Access, which let the attackers capture passwords, authentication tokens, emails, and other sensitive data from the same network as the hijacked router. (justice.gov) Microsoft said this was not just passive spying on web addresses. The company said Forest Blizzard used the router hijacks to support actor-in-the-middle attacks on encrypted Transport Layer Security connections, which is the web lock icon system people rely on to know a session is private. (microsoft.com) The victim list shows how messy this kind of infrastructure attack can get. Microsoft named government, information technology, telecommunications, and energy as affected sectors, while CyberScoop reported that Lumen researchers also saw victims linked to Afghanistan’s government and foreign affairs and law-enforcement bodies in North Africa, Central America, and Southeast Asia. (microsoft.com) (cyberscoop.com) Lumen said it saw widespread router exploitation and Domain Name System redirection begin on August 6, 2025, one day after a separate public report on Russian tradecraft. Lumen’s researchers called the campaign “FrostArmada” and said it redirected targeted domains to attacker-in-the-middle nodes that harvested credentials with no action required from the end user. (lumen.com) The United States response was not just a warning. On April 7, 2026, the Justice Department and the Federal Bureau of Investigation announced a court-authorized operation called Operation Masquerade that neutralized the United States portion of the router network and reset malicious Domain Name System settings on compromised devices. (justice.gov) (cyberscoop.com) The uncomfortable part is that the weak point here was often a cheap router sitting outside the main security team’s view. Microsoft said this was the first time it had seen Forest Blizzard use Domain Name System hijacking at scale to support actor-in-the-middle attacks after exploiting edge devices, which means the attack path ran through the network’s front door instead of the company’s servers. (microsoft.com)