Russian Hackers Exploit SOHO Routers, Compromising Over 5,000 Devices in DNS Hijacking Campaign
The emergence of campaigns targeting Small Office/Home Office (SOHO) routers has unveiled significant vulnerabilities in global network security. Threat actors, particularly the group known as Forest Blizzard, have been exploiting inadequately secured home and small-office devices to execute sophisticated cyberattacks.
Security researchers have identified that this Russia-linked group has been systematically compromising vulnerable routers since at least August 2025. By doing so, they have transformed these devices into covert infrastructures for surveillance and subsequent cyberattacks.
Forest Blizzard and the Expanding SOHO Router Compromise Campaign
Forest Blizzard, a threat actor associated with Russian military intelligence and tracked as Storm-2754, has engaged in extensive exploitation of SOHO devices. Utilizing their access to compromised routers, the group has hijacked Domain Name System (DNS) requests, enabling them to monitor and collect network traffic on a large scale.
Microsoft has reported that over 200 organizations and more than 5,000 consumer devices have been affected by this malicious DNS infrastructure. Notably, telemetry data indicated no compromise of Microsoft-owned systems. However, the extensive reach of the affected networks underscores the effectiveness of targeting edge devices that often lack robust monitoring and security controls.
For groups like Forest Blizzard, DNS hijacking offers persistent, low-visibility access to sensitive data flows. By positioning themselves upstream of enterprise environments, attackers can observe and potentially manipulate traffic without directly breaching corporate systems.
How SOHO Router Compromise Leads to DNS Hijacking
Once access is gained to vulnerable routers, Forest Blizzard modifies their default configurations to utilize attacker-controlled DNS resolvers. This manipulation results in connected devices unknowingly sending DNS queries to malicious servers.
Most endpoint devices depend on routers for network configuration via the Dynamic Host Configuration Protocol (DHCP). When a router is compromised, all connected devices inherit the malicious DNS settings, making the SOHO router a highly efficient and scalable attack vector.
The group is believed to employ the legitimate dnsmasq utility for handling DNS queries. While dnsmasq is commonly used in home networking for DNS forwarding and DHCP services, in this context, it enables attackers to intercept, log, and respond to DNS requests while maintaining the appearance of normal operations.
Forest Blizzard’s Use of Adversary-in-the-Middle Attacks
In addition to passive surveillance, Forest Blizzard has expanded its SOHO router compromise operations to facilitate adversary-in-the-middle (AiTM) attacks. These attacks specifically target Transport Layer Security (TLS) connections, allowing for the interception of sensitive communications.
Typically, DNS traffic is transparently proxied, enabling users to connect to legitimate services without disruption. However, in select high-value scenarios, attackers spoof DNS responses for targeted domains, redirecting victims to malicious infrastructure controlled by Forest Blizzard.
Once redirected, victims may encounter invalid TLS certificates that mimic legitimate services such as Outlook on the web. If users ignore certificate warnings, attackers can intercept plaintext data within the encrypted session, potentially including emails and other sensitive cloud-hosted content.
Researchers have identified two notable AiTM scenarios:
- Attacks on Microsoft 365 domains, particularly Outlook on the web.
- Targeted operations against government servers in at least three African countries, where DNS interception facilitated further data collection.
Mitigation Strategies Against Forest Blizzard Threats
To mitigate the risks associated with SOHO router compromise, security experts recommend several defensive measures. For DNS protection, organizations should enforce domain-based access controls using Zero Trust DNS (ZTDNS), block malicious domains, and maintain detailed DNS logs to detect anomalies. Enabling network and web protection features in Microsoft Defender for Endpoint can further bolster defenses.
Addressing identity security is equally critical. Centralizing identity management, enforcing multifactor authentication (MFA), and applying Conditional Access policies can significantly reduce the impact of credential theft from AiTM attacks. Additionally, adopting passwordless solutions such as passkeys and restricting authentication to trusted devices and locations is advisable.
For further insights into the ongoing threats posed by Forest Blizzard and similar groups, refer to the detailed analysis provided by experts. Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
