'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are hitting TP-Link home routers to hijack internet traffic | Tech Radar

Overview

News, deals, reviews, guides and more on the newest smartphones

News, deals, reviews, guides and more on the newest computing gadgets

Details

Start exploring exclusive deals, expert advice and more

Unlock and manage exclusive Techradar member rewards.

'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are hitting TP-Link home routers to hijack internet traffic

SOHO endpoints are being used as gateways into corporate environments

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Image Credit: Shutterstock (Image credit: Shutterstock)

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Forest Blizzard (APT28) hijacks SOHO devices for espionage

Attackers reroute DNS traffic to enable surveillance and Ai TM attacks

Campaign impacts 200+ organizations across government, IT, telecom, and energy sectors

Russian state-sponsored threat actors are targeting poorly protected Small Office/Home Office (SOHO) devices and using them to pivot into enterprise and corporate environments, experts have claimed.

A report from Microsoft Threat Intelligence has warned about a large-scale attack by Forest Blizzard (AKA APT28) targeting TP-Link routers.

So far, more than 200 organizations and more than 5,000 consumer devices have been impacted by the attack, Microsoft said, noting the group is mostly interested in cyber-espionage and intelligence gathering.

Russian hackers target European firms with new spear-phishing cyberattacks

Watch out Microsoft Teams users - hackers are spreading a dangerous new phishing scam, here's what we know

NGINX servers hijacked in global campaign to redirect traffic

The campaign apparently started in August 2025, and instead of targeting corporate networks directly, Forest Blizzard focused on edge devices such as home routers, which often lack strong security controls and oversight present in enterprise environments.

Microsoft did not explicitly say how the attackers break into these endpoints but suggests they might have default or easy-to-crack passwords or known but unpatched vulnerabilities that can easily be exploited.

Once inside, they change the devices’ configuration to route Domain Name System (DNS) traffic through infrastructure they control, allowing them to monitor, and even influence, how infected devices resolve domain names.

By operating at this upstream level, APT28 gained broad visibility into network activity across both consumer and enterprise environments. This not only allows them to conduct passive surveillance at scale but also prepares the terrain for more targeted follow-on attacks against organizations of higher value.

The DNS acts like the internet’s address book. So, instead of sending requests to legitimate DNS servers, compromised devices are actually being redirected to servers under the attackers’ control. In more targeted cases, the threat actors would manipulate DNS responses to redirect victims to fake versions of legitimate services, resulting in what’s known as an Adversary-in-the-Middle (Ait M) attack.

This, in turn, allows APT28’s operatives to intercept data as it moves between the user and the real service.

The silent DNS malware that’s redefining email and web-based cyberattacks

Asus routers hijacked to power dangerous cybercrime proxy network - here's what we know

Signal is being targeted by Russian hackers in a huge new phishing campaign, FBI says

Russian hackers are interested in cyber-espionage and intelligence gathering. (Image credit: Shutterstock)

The campaign affects a wide range of sectors, Microsoft stressed, including government agencies, information technology, telecommunications, and energy. While thousands of home and small office devices were compromised, Forest Blizzard appears to use the most intrusive follow-on attacks selectively, focusing on high-value targets.

They use Ait M attacks to intercept emails and cloud data, but the sheer number of compromised devices give them a lot of maneuver space, for possibly larger-scale campaigns in the future.

“While the number of organizations specifically targeted for TLS Ai TM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale Ai TM attacks, which might include active traffic interception,” Microsoft warned.

“Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support Ai TM of TLS connections after exploiting edge devices.”

To defend against DNS hijacking, Microsoft advises organizations enforce trusted DNS servers, block malicious domains, maintain DNS logs, and avoid SOHO devices in corporate networks.

For Ai TM and credential theft, they recommend centralizing identity management, enabling Single Sign-On, enforcing multifactor authentication (MFA) and passkeys, applying Conditional Access policies, and monitoring risky sign-ins with continuous access evaluation. Organizations should log identity activity, protect privileged accounts with phishing-resistant MFA, and follow Microsoft’s incident response best practices for recovering from systemic identity compromises. Network protection via Microsoft Defender for Endpoint is also recommended to block malicious sites.

➡️ Read our full guide to the best antivirus

1. Best overall: Bitdefender Total Security
2. Best for families: Norton 360 with Life Lock
3. Best for mobile: Mc Afee Mobile Security

Follow Tech Radar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow Tech Radar on Tik Tok for news, reviews, unboxings in video form, and get regular updates from us on Whats App too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, Io T, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

1 How to pick a website template that complements your brand identity

2 Project Glasswing wants to use AI to prevent AI cyberattacks

3'They lack the tools to help themselves': IT teams complain minor issues are stopping them from addressing the big problems

4 How to write AI website builder prompts like a high-end design agency

5 The Bissell Cross Wave Hydro Scrub might be the only floor cleaner you need

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest smartphones
• News, deals, reviews, guides and more on the newest computing gadgets
• Start exploring exclusive deals, expert advice and more
• Unlock and manage exclusive Techradar member rewards

• 'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are hitting TP-Link home routers to hijack internet traffic