Russia's Forest Blizzard Nabs Rafts of Logins Via SOHO Routers

THREAT INTELLIGENCE ENDPOINT SECURITY REMOTE WORKFORCE CYBERATTACKS & DATA BREACHES NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Russia's Forest Blizzard Nabs Rafts of Logins Via SOHO Routers Heard of fileless malware? How about malwareless cyber espionage? Russia's APT28 is spying on global organizations by modifying just one DNS setting in vulnerable routers. Nate Nelson,Contributing Writer April 8, 2026 6 Min Read SOURCE: LUKAS JONAITIS VIA ALAMY STOCK PHOTO A Russian espionage group has been silently sniffing Internet traffic from targets across the planet for more than a year now, using old bugs in unloved and Internet-exposed small office/home office (SOHO) routers. Victims include ministries of foreign affairs and national law-enforcement bodies in North Africa, Central America, and Southeast Asia, plus a national identity platform and a variety of third-party service providers in Europe, and targets in 23 US states. One might imagine that international cyber espionage requires lots of effort and sophisticated tools, like malware with never-before-seen evasive techniques, or zero-day vulnerabilities. But Russia's APT28 (aka Fancy Bear or Forest Blizzard, among other monikers) and its subgroup Storm-2754 have proven that that simply isn't the case. Since at least May 2025, if not 2024, the Russian Main Directorate of the General Staff of the Armed Forces (GRU)-backed threat group has been intercepting Internet traffic at middle- and high-value organizations worldwide simply by exploiting old bugs in edge devices — primarily, but not exclusively, MikroTik and TP-Link routers — and reconfiguring them to direct traffic through malicious virtual private servers (VPS). According to researchers with Lumen's Black Lotus Labs and Microsoft, this low-effort campaign has empowered the threat actor to sniff Web traffic with aplomb and steal credentials for email and Web services on an ongoing basis. Related:Iran Hacktivists Make Noise but Have Little Impact on War On April 7, the US Justice Department (DoJ) announced a large-scale and court-ordered disruption effort called "Operation Masquerade," aimed at pushing back the portion of APT28's campaign that's affected the US. The DoJ indicated that military, government, and critical infrastructure organizations had been targeted through the Trojanized routers. The campaign is far from limited to the US, though, as noted. At its peak in December 2025, Black Lotus Labs identified 18,000 unique IP addresses across at least 120 countries that were communicating with the attackers' infrastructure. Microsoft identified more than 200 impacted organizations, plus more than 5,000 consumer devices. Russian Cyber Espionage Via SOHO Routers APT28's game is email spying. Since its early, high-profile cyberattacks around the 2016 election, the game has been about getting access to email accounts belonging to organizations and individuals of interest to the Russian state. To support its raison d'etre, it continuously tries out new techniques for achieving the same end goal. Related:EU Sanctions Companies in China, Iran for Cyberattacks In this latest campaign, APT28's path to email compromise primarily went through SOHO routers from MikroTik and TP-Link, and in fewer cases firewall products from Nethesis and Fortinet. The hackers targeted known vulnerabilities that allowed them access to router interfaces. For example, one bug it scanned the Web for was CVE-2023-50224: a medium-severity information disclosure issue affecting TP-Link, which doesn't require authentication to exploit. This three-year-old vulnerability allowed the attackers to remotely administer routers, and modify their Domain Name System (DNS) settings to route traffic through a VPS they controlled. Whenever someone using the router requested to visit a website, that request would pass through APT28's infrastructure. If the website was one that APT28 was interested in — like Microsoft Outlook on the Web — it would proxy that request, stealing the victim's credentials as they visited that online service. "One of the things that piqued my interest: there is no malware," Danny Adamitis, principal information security engineer at Black Lotus Labs, tells Dark Reading. "If you were to have your router getting logged into, even if you were to hypothetically scan it all with an endpoint detection and response (EDR) tool or upload everything to VirusTotal, there is nothing there. The only thing they're doing is modifying just one entry of your DNS settings, to route traffic to a server that they control and administrate." Related:SideWinder Espionage Campaign Expands Across Southeast Asia Researchers differ on when exactly APT28 started doing all this. Microsoft suggested that it began at least last August. Black Lotus Labs cited May of last year, at which point it identified a compromised router associated with the government of Afghanistan. The DoJ's Operation Masquerade press release suggested that it dates all the way back to "at least 2024." Whenever it was, it was right on time. On Aug. 6, 2025, the United Kingdom's National Cyber Security Centre (NCSC) published a report on "Authentic Antics," about an APT28 malware tool designed to nab Microsoft Office credentials and tokens. APT28 might have been deterred, if it weren't so utterly prepared. The very next day, with its tactics, techniques, and procedures (TTPs) exposed, it simply shifted course, committing to its new campaign against SOHO routers, as shown in the chart below: Source: Lumen Is DNS a Cyber Risk Problem? Ryan English, information security engineer at Lumen Technologies, suggests that organizations do their best to move away from SOHO routers, but recognizes the reasons they're so prevalent.  "It seems odd that some of these governments that were targets [of APT28] would be using small office/home office routers," he admits, but adds that "it's a question of economics, convenience, and access. Some governments might make the choice to use this because it works perfectly well. But you can't inspect the logs on a lot of these SOHO routers. Some of them are not easy to manually update whenever there's patching needed. So they're vulnerable as sort of a condition of their existence." For Adamitis, APT28's campaign is about a much more significant and intractable issue with one of the Internet's foundational systems: DNS — a common target for APT28. To demonstrate the point, he draws a parallel with Google Maps. When one uses Google Maps, "I just trust that Google can tell me the right way to go, because that's how the system is supposed to work. You're not actually going and pulling up a separate map and making sure that it's the correct route," Adamitis explains.  In the same sense, "users trust that DNS can tell you where your server is," he notes. "[But APT28] is modifying all that in the back end. And I think that's kind of why everyone was so freaked out about this." The router side of this campaign, Adamitis argues, is simple enough: between patching and other basic cyber hygiene, whether one does it oneself or hires a firm to help, "there are mechanisms to try to stay on top of that router ecosystem. There is no equivalent for the DNS space. DNS by its nature is a decentralized system that no one's really accountable for. And because no one's really accountable for it, [when something goes wrong], you end up with the Spider-Man meme, where everyone points to each other and goes, 'No, it's their fault.'" "It truly is, in my mind, the Wild West," he says. Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 THREAT INTELLIGENCE LockBit Ransomware Gang Hacked, Ops Data Leaked by Rob Wright MAY 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS HEALTHCARE SECURITY WEBINAR Protecting Patient Data and Clinical Operations SECURE YOUR SEAT GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE