US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

The US Justice Department and the FBI announced on Tuesday that they have disrupted a network of hacked SOHO routers that Russia used in an espionage operation. According to US authorities, the attacks have been tied to the threat actor known as APT28, Forest Blizzard, and Fancy Bear, which is widely believed to be backed by Russia’s General Staff Main Intelligence Directorate (GRU). The hackers targeted vulnerable TP-Link and MikroTik routers, changing their DHCP and DNS settings so that traffic from devices connected to these routers would go through the attackers’ infrastructure.  By conducting this adversary-in-the-middle (AitM) attack, the cyberspies captured traffic the victim would assume was encrypted, harvesting passwords, authentication tokens, emails, and web browsing data.  However, the AitM attack only worked if users ignored invalid TLS certificate warnings triggered by the use of the attacker-controlled infrastructure. According to the FBI, the hackers exploited a known vulnerability tracked as CVE-2023-50224 to take control of TP-Link routers. “The GRU has indiscriminately compromised a wide pool of U.S. and global victims and then filtered down impacted users, especially targeting information related to military, government, and critical infrastructure,” the agency said. Microsoft attributed the attack to Forest Blizzard and a subgroup it tracks as Storm-2754. The tech giant reported identifying more than 200 organizations and 5,000 consumer devices impacted by the attack. Microsoft has shared some technical details on how the attack was carried out: “Forest Blizzard gained access to SOHO devices then altered their default network configurations to use actor-controlled DNS resolvers. This malicious re-configuration resulted in thousands of devices sending their DNS requests to actor-controlled servers. […] Forest Blizzard is almost certainly using the dnsmasq utility to perform DNS resolution and provide responses while listening on port 53 for DNS queries. The dnsmasq utility is a legitimate tool that provides lightweight network services widely used in home routers or smaller networks. Among its services are DNS forwarding and caching and a DHCP server, which collectively enable upstream DNS query forwarding and IP address assignment on a local network. […] In most cases, the DNS requests appear to have been transparently proxied by the actor’s infrastructure, resulting in connections to the legitimate service endpoints without interruption. However, in a limited number of compromises, the threat actor spoofed DNS responses for specifically targeted domains to force impacted endpoints to connect to infrastructure controlled by the threat actor.” Microsoft noted that, in addition to harvesting information, such AitM attacks can be used for malware deployment or DoS attacks. Lumen Technologies, whose Black Lotus Labs has been tracking the campaign as FrostArmada, said the router attacks appear to have started in August 2025, shortly after the UK announced sanctions against Russian hackers and described a campaign named Authentic Antics, in which hackers targeted Microsoft cloud accounts. “At the peak of activity in December 2025, Lumen detected over 18,000 unique IPs from at least 120 countries communicating with Forest Blizzard’s infrastructure. These operations primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers,” Lumen said. The company assisted Microsoft and the US authorities in disrupting the infrastructure used in this campaign.  The UK’s National Cyber Security Centre (NCSC) has published its own advisory, providing a long list of indicators of compromise (IoCs), including VPS banners, targeted router models, domains, IP addresses associated with attacker infrastructure, and MITRE ATT&CK mapping. The NCSC has also shared recommendations for defending against such attacks. In early 2024, the FBI announced it had disrupted a SOHO router botnet used by the same Russian threat group.  Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Related: RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack  White House Seeks to Slash CISA Funding by $707 Million Wynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack T-Mobile Sets the Record Straight on Latest Data Breach Filing Apple Rolls Out DarkSword Exploit Protection to More Devices Cybersecurity M&A Roundup: 38 Deals Announced in March 2026 Toy Giant Hasbro Hit by Cyberattack Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome Latest News Evasive Masjesu DDoS Botnet Targets IoT Devices Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks The New Rules of Engagement: Matching Agentic Attack Speed Trent AI Emerges From Stealth With $13 Million in Funding Critical Flowise Vulnerability in Attacker Crosshairs Severe StrongBox Vulnerability Patched in Android Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea. Kai has named Nick Degnan as Chief Revenue Officer. Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind. More People On The Move Expert Insights The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Email