THREATNOIR
Subscribe
Back to Feed
Nation-stateApr 8, 2026

Russian Forest Blizzard Hackers Hijack Home Routers for Global Spying

Russian Forest Blizzard group hijacks home routers for DNS-based espionage targeting 5,000+ devices globally.

Read at source

Summary

Microsoft Threat Intelligence revealed that Forest Blizzard (Fancy Bear), a Russian military-linked hacking group, has compromised over 5,000 home and small-office routers to conduct DNS hijacking and surveillance operations since at least August 2025. The attackers use legitimate tools like dnsmasq to intercept traffic and perform adversary-in-the-middle attacks, specifically targeting Microsoft Outlook users and impacting 200 organizations across energy, IT, and telecommunications sectors, including three African government agencies. The campaign exploits weak security in SOHO devices to gain persistent reconnaissance access and intercept sensitive data from remote workers.

Full text

Security Hacking News SurveillanceRussian Forest Blizzard Hackers Hijack Home Routers for Global Spying Microsoft Threat Intelligence reveals how Russian hacking group Forest Blizzard uses home routers for DNS hijacking and spying. byDeeba AhmedApril 8, 20262 minute read A hacking group linked to Russian military intelligence, identified as Forest Blizzard hackers (aka Fancy Bear), has been caught exploiting thousands of home and small-office routers to conduct a massive surveillance operation. According to Microsoft Threat Intelligence, which published its findings on April 7, the group has been manipulating these everyday internet devices to intercept private data and monitor network traffic on a global scale. While this activity has been tracked since at least August 2025, the scale of the operation is becoming clear only now. The research indicates that the group, and a sub-group known as Storm-2754, is using these common gadgets to create a hidden network for international espionage. The hackers focus their efforts on Small Office/Home Office (SOHO) devices. These routers are a preferred target because they generally lack the advanced security found in large corporate networks. Researchers noted that the attackers break into these devices to perform DNS hijacking, a technique that reroutes a user’s internet traffic. The Domain Name System (DNS) acts like the internet’s phonebook, translating website names into the digital addresses computers use to connect, and by taking control of this process, the hackers can secretly direct users to servers they control. Further investigation revealed the group used a legitimate tool called dnsmasq to manage these redirections, providing them with what researchers described as “persistent, passive visibility and reconnaissance at scale.” Targeted Attacks on Private Data The scope of the operation is worrying, with over 5,000 consumer devices and 200 organisations impacted so far. Microsoft researchers noted that the campaign has evolved beyond simple monitoring into Adversary-in-the-Middle (AiTM) attacks in which the hackers position themselves between a user and the service they are trying to reach. It must be noted that they specifically targeted Microsoft Outlook web users to intercept emails and sensitive content. The energy, IT, and telecommunications sectors have been primary targets, and research reveals the group successfully intercepted data from three government organisations in Africa. How compromised routers are used for DNS hijacking (Credit: Microsoft) Securing the Remote Workforce The research highlights a major risk for businesses. Researchers wrote that “compromised home and small-office network infrastructure can expose cloud access and sensitive data,” even when the main office network remains secure. This is particularly concerning for the growing number of people working in hybrid or remote environments. To mitigate these risks, Microsoft recommends using multi-factor authentication (MFA) and passwordless logins to prevent hackers from using stolen credentials. Furthermore, organisations are encouraged to avoid using basic home routers for corporate tasks and to ensure all devices are kept up to date since the security of an entire network depends on the strength of these individual devices. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityFancy BearForest BlizzardRoutersRussiaSOHOStorm-2754Vulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Hacking News Wiki Info Zone website hacked by K9 Network Cyber Army K9 Network Cyber Army has hacked Wiki Info Zone website and defaced it with their own page. Wiki… byWaqas Read More News Hacking News Security GoTo’s LastPass Breach: Encrypted Customer Data Taken GoTo-owned LastPass revealed that hackers stole customers’ encrypted data in a November 2022 data breach. byDeeba Ahmed Cyber Crime Cyber Events Hacking News Social Media Facebook goes down; users call police to bring back the service As we all know Facebook was down yesterday for unknown reason, but how the users took it is… byWaqas Read More Microsoft Security Technology Critical Flaws Exposed Microsoft Message Queuing Service to DoS Attacks Researchers at the AI-powered Security solutions provider, FortiGuard Labs, have been monitoring Microsoft Message Queuing (MSMQ) service for… byDeeba Ahmed

Indicators of Compromise

  • malware — dnsmasq
  • mitre_attack — T1557.002
  • mitre_attack — T1040

Entities

Forest Blizzard (threat_actor)Fancy Bear (threat_actor)Storm-2754 (threat_actor)Microsoft (vendor)Microsoft Outlook (product)DNS hijacking (technology)