US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

Summary

The US Justice Department and FBI disrupted a network of compromised SOHO routers (TP-Link and MikroTik) used by Russian threat group APT28 (Forest Blizzard/Fancy Bear) for large-scale espionage. The attackers exploited CVE-2023-50224 and modified router DNS/DHCP settings to intercept traffic and harvest credentials, authentication tokens, and browsing data from over 200 organizations and 5,000 consumer devices globally. At peak activity in December 2025, over 18,000 unique IPs across 120 countries communicated with the attacker infrastructure, primarily targeting government agencies and critical infrastructure.

Full text

The US Justice Department and the FBI announced on Tuesday that they have disrupted a network of hacked SOHO routers that Russia used in an espionage operation. According to US authorities, the attacks have been tied to the threat actor known as APT28, Forest Blizzard, and Fancy Bear, which is widely believed to be backed by Russia’s General Staff Main Intelligence Directorate (GRU). The hackers targeted vulnerable TP-Link and MikroTik routers, changing their DHCP and DNS settings so that traffic from devices connected to these routers would go through the attackers’ infrastructure. By conducting this adversary-in-the-middle (AitM) attack, the cyberspies captured traffic the victim would assume was encrypted, harvesting passwords, authentication tokens, emails, and web browsing data. However, the AitM attack only worked if users ignored invalid TLS certificate warnings triggered by the use of the attacker-controlled infrastructure. According to the FBI, the hackers exploited a known vulnerability tracked as CVE-2023-50224 to take control of TP-Link routers.Advertisement. Scroll to continue reading. “The GRU has indiscriminately compromised a wide pool of U.S. and global victims and then filtered down impacted users, especially targeting information related to military, government, and critical infrastructure,” the agency said. Microsoft attributed the attack to Forest Blizzard and a subgroup it tracks as Storm-2754. The tech giant reported identifying more than 200 organizations and 5,000 consumer devices impacted by the attack. Microsoft has shared some technical details on how the attack was carried out: “Forest Blizzard gained access to SOHO devices then altered their default network configurations to use actor-controlled DNS resolvers. This malicious re-configuration resulted in thousands of devices sending their DNS requests to actor-controlled servers.[…] Forest Blizzard is almost certainly using the dnsmasq utility to perform DNS resolution and provide responses while listening on port 53 for DNS queries. The dnsmasq utility is a legitimate tool that provides lightweight network services widely used in home routers or smaller networks. Among its services are DNS forwarding and caching and a DHCP server, which collectively enable upstream DNS query forwarding and IP address assignment on a local network. […] In most cases, the DNS requests appear to have been transparently proxied by the actor’s infrastructure, resulting in connections to the legitimate service endpoints without interruption. However, in a limited number of compromises, the threat actor spoofed DNS responses for specifically targeted domains to force impacted endpoints to connect to infrastructure controlled by the threat actor.” Microsoft noted that, in addition to harvesting information, such AitM attacks can be used for malware deployment or DoS attacks. Lumen Technologies, whose Black Lotus Labs has been tracking the campaign as FrostArmada, said the router attacks appear to have started in August 2025, shortly after the UK announced sanctions against Russian hackers and described a campaign named Authentic Antics, in which hackers targeted Microsoft cloud accounts. “At the peak of activity in December 2025, Lumen detected over 18,000 unique IPs from at least 120 countries communicating with Forest Blizzard’s infrastructure. These operations primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers,” Lumen said. The company assisted Microsoft and the US authorities in disrupting the infrastructure used in this campaign. The UK’s National Cyber Security Centre (NCSC) has published its own advisory, providing a long list of indicators of compromise (IoCs), including VPS banners, targeted router models, domains, IP addresses associated with attacker infrastructure, and MITRE ATT&CK mapping. The NCSC has also shared recommendations for defending against such attacks. In early 2024, the FBI announced it had disrupted a SOHO router botnet used by the same Russian threat group. Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Related: RedVDS Cybercrime Service Disrupted by Microsoft and Law Enforcement Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack White House Seeks to Slash CISA Funding by $707 MillionWynn Resorts Says 21,000 Employees Affected by ShinyHunters HackT-Mobile Sets the Record Straight on Latest Data Breach FilingApple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026Toy Giant Hasbro Hit by CyberattackExploited Zero-Day Among 21 Vulnerabilities Patched in Chrome Latest News Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverIran-Linked Hackers Disrupt US Critical Infrastructure via PLC AttacksAnthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge AttacksThe New Rules of Engagement: Matching Agentic Attack SpeedTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsSevere StrongBox Vulnerability Patched in Android Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2023-50224
• malware — Forest Blizzard
• malware — Storm-2754
• malware — FrostArmada

Entities