US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

The US Justice Department and the FBI announced on Tuesday that they have disrupted a network of hacked SOHO routers that Russia used in an espionage operation.

According to US authorities, the attacks have been tied to the threat actor known as APT28, Forest Blizzard, and Fancy Bear, which is widely believed to be backed by Russia’s General Staff Main Intelligence Directorate (GRU).

The hackers targeted vulnerable TP-Link and MikroTik routers, changing their DHCP and DNS settings so that traffic from devices connected to these routers would go through the attackers’ infrastructure. 

By conducting this adversary-in-the-middle (AitM) attack, the cyberspies captured traffic the victim would assume was encrypted, harvesting passwords, authentication tokens, emails, and web browsing data. 

However, the AitM attack only worked if users ignored invalid TLS certificate warnings triggered by the use of the attacker-controlled infrastructure.

According to the FBI, the hackers exploited a known vulnerability tracked as CVE-2023-50224 to take control of TP-Link routers.

“The GRU has indiscriminately compromised a wide pool of U.S. and global victims and then filtered down impacted users, especially targeting information related to military, government, and critical infrastructure,” the agency said.

Microsoft attributed the attack to Forest Blizzard and a subgroup it tracks as Storm-2754. The tech giant reported identifying more than 200 organizations and 5,000 consumer devices impacted by the attack.

Microsoft has shared some technical details on how the attack was carried out:

“Forest Blizzard gained access to SOHO devices then altered their default network configurations to use actor-controlled DNS resolvers. This malicious re-configuration resulted in thousands of devices sending their DNS requests to actor-controlled servers.
[…]

Forest Blizzard is almost certainly using the dnsmasq utility to perform DNS resolution and provide responses while listening on port 53 for DNS queries. The dnsmasq utility is a legitimate tool that provides lightweight network services widely used in home routers or smaller networks. Among its services are DNS forwarding and caching and a DHCP server, which collectively enable upstream DNS query forwarding and IP address assignment on a local network.

[…]

In most cases, the DNS requests appear to have been transparently proxied by the actor’s infrastructure, resulting in connections to the legitimate service endpoints without interruption. However, in a limited number of compromises, the threat actor spoofed DNS responses for specifically targeted domains to force impacted endpoints to connect to infrastructure controlled by the threat actor.”

Microsoft noted that, in addition to harvesting information, such AitM attacks can be used for malware deployment or DoS attacks.

Lumen Technologies, whose Black Lotus Labs has been tracking the campaign as FrostArmada, said the router attacks appear to have started in August 2025, shortly after the UK announced sanctions against Russian hackers and described a campaign named Authentic Antics, in which hackers targeted Microsoft cloud accounts.

“At the peak of activity in December 2025, Lumen detected over 18,000 unique IPs from at least 120 countries communicating with Forest Blizzard’s infrastructure. These operations primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers,” Lumen said.

The company assisted Microsoft and the US authorities in disrupting the infrastructure used in this campaign. 

The UK’s National Cyber Security Centre (NCSC) has published its own advisory, providing a long list of indicators of compromise (IoCs), including VPS banners, targeted router models, domains, IP addresses associated with attacker infrastructure, and MITRE ATT&CK mapping.

The NCSC has also shared recommendations for defending against such attacks.

In early 2024, the FBI announced it had disrupted a SOHO router botnet used by the same Russian threat group. 

Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation

Related: RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement

Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown