'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are hitting TP-Link home routers to hijack internet traffic

News
By published

SOHO endpoints are being used as gateways into corporate environments

Digital image of a lock.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • Forest Blizzard (APT28) hijacks SOHO devices for espionage
  • Attackers reroute DNS traffic to enable surveillance and AiTM attacks
  • Campaign impacts 200+ organizations across government, IT, telecom, and energy sectors

Russian state-sponsored threat actors are targeting poorly protected Small Office/Home Office (SOHO) devices and using them to pivot into enterprise and corporate environments, experts have claimed.

A report from Microsoft Threat Intelligence has warned about a large-scale attack by Forest Blizzard (AKA APT28) targeting TP-Link routers.

So far, more than 200 organizations and more than 5,000 consumer devices have been impacted by the attack, Microsoft said, noting the group is mostly interested in cyber-espionage and intelligence gathering.

Article continues below

What happened?

The campaign apparently started in August 2025, and instead of targeting corporate networks directly, Forest Blizzard focused on edge devices such as home routers, which often lack strong security controls and oversight present in enterprise environments.

Microsoft did not explicitly say how the attackers break into these endpoints but suggests they might have default or easy-to-crack passwords or known but unpatched vulnerabilities that can easily be exploited.

Once inside, they change the devices’ configuration to route Domain Name System (DNS) traffic through infrastructure they control, allowing them to monitor, and even influence, how infected devices resolve domain names.

By operating at this upstream level, APT28 gained broad visibility into network activity across both consumer and enterprise environments. This not only allows them to conduct passive surveillance at scale but also prepares the terrain for more targeted follow-on attacks against organizations of higher value.

The DNS acts like the internet’s address book. So, instead of sending requests to legitimate DNS servers, compromised devices are actually being redirected to servers under the attackers’ control. In more targeted cases, the threat actors would manipulate DNS responses to redirect victims to fake versions of legitimate services, resulting in what’s known as an Adversary-in-the-Middle (AitM) attack.

This, in turn, allows APT28’s operatives to intercept data as it moves between the user and the real service.

If the victim ignores browser warnings about invalid security certificates (which, truth be told, many of us often do), the attackers may be able to capture sensitive information, including login credentials and emails.

Who is targeted?

Russian flag on a laptop

Russian hackers are interested in cyber-espionage and intelligence gathering. (Image credit: Shutterstock)

The campaign affects a wide range of sectors, Microsoft stressed, including government agencies, information technology, telecommunications, and energy. While thousands of home and small office devices were compromised, Forest Blizzard appears to use the most intrusive follow-on attacks selectively, focusing on high-value targets.

They use AitM attacks to intercept emails and cloud data, but the sheer number of compromised devices give them a lot of maneuver space, for possibly larger-scale campaigns in the future.

“While the number of organizations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale AiTM attacks, which might include active traffic interception,” Microsoft warned.

“Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”

To defend against DNS hijacking, Microsoft advises organizations enforce trusted DNS servers, block malicious domains, maintain DNS logs, and avoid SOHO devices in corporate networks.

For AiTM and credential theft, they recommend centralizing identity management, enabling Single Sign-On, enforcing multifactor authentication (MFA) and passkeys, applying Conditional Access policies, and monitoring risky sign-ins with continuous access evaluation. Organizations should log identity activity, protect privileged accounts with phishing-resistant MFA, and follow Microsoft’s incident response best practices for recovering from systemic identity compromises. Network protection via Microsoft Defender for Endpoint is also recommended to block malicious sites.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.