In a nutshell: Targeting insecure routers in personal or small office / home office environments is nothing new, with several hacking groups now exploiting this method to carry out a range of malicious activities. According to Microsoft, a recently discovered attack goes beyond simple device exploitation, extending to its widely used cloud services.
A notorious team of Russian spies is once again targeting internet-facing devices to advance their unlawful activities. Microsoft warned that Forest Blizzard, a Kremlin-sponsored hacking group also known as Storm-2754 or Fancy Bear, has spent the past few months attempting to compromise thousands of personal and small office / home office routers. Once they gained control of an insecure device, Forest Blizzard operatives pursued their broader malicious objectives.
According to a recent report from Microsoft's Threat Intelligence team, this cybercrime campaign has been active since at least August 2025. Forest Blizzard carried out large-scale attacks on thousands of SOHO and personal routers, affecting more than 200 organizations and 5,000 consumer devices. The campaign's primary tactic involved malicious changes to the routers' DNS settings, giving the hackers a persistent foothold and the ability to intercept DNS traffic.
Microsoft analysts explained that Forest Blizzard primarily used the hijacked routers to redirect traffic through its malicious DNS infrastructure. In addition, the hackers leveraged the recovered intelligence to carry out more complex man-in-the-middle attacks – referred to by Microsoft as adversary-in-the-middle attacks – against Microsoft 365 domains.
The malicious DNS servers could present invalid TLS certificates, which unsuspecting victims often dismissed as common web communication errors. Once in control, the hackers were able to fully intercept plaintext web traffic – because no valid TLS certificate was present to encrypt it – and search for potentially valuable Microsoft 365 data.
A successful MiTM/AiTM attack could provide Forest Blizzard with sensitive account information, compromising major organizations and further informing its malicious campaigns. The Kremlin-backed hackers could also exploit this account data to deploy dangerous malware or carry out disruptive denial-of-service attacks.
Microsoft's report provides a detailed list of mitigation procedures for both enterprise organizations and end users. Windows now includes several endpoint measures designed to curb DNS hijacking attempts, including Zero Trust DNS and specific protections within Microsoft Defender.
Redmond's anti-malware engine is expected to detect Forest Blizzard / Storm-2754 activities and alert users accordingly. Enterprise organizations can also enforce Entra ID Protection and multi-factor authentication to minimize risk. Finally, companies should avoid using – or allowing – home routers in corporate environments. Hybrid or remote work setups should always operate through a centralized identity management platform.