203/69 Friday, April 10, 2026
A report from Microsoft Threat Intelligence reveals that the hacking group known as Forest Blizzard (also called Fancy Bear) has been conducting large-scale attacks by compromising home and small office (SOHO) routers to build an infrastructure for cyber espionage. This activity has been tracked since August 2025 and has continued to expand over time.
The attackers use DNS hijacking techniques by taking control of the Domain Name System (DNS), which translates website names into IP addresses. By manipulating DNS settings, they can redirect user traffic to attacker-controlled servers, enabling them to intercept sensitive data and monitor internet activity without the victim’s knowledge. The campaign also leverages legitimate tools such as dnsmasq to manage traffic redirection, making the attacks more persistent and harder to detect. Reports indicate that over 5,000 user devices and more than 200 organizations have been affected.
The operation has further evolved into an Adversary-in-the-Middle (AiTM) attack, where attackers position themselves between users and legitimate services to capture sensitive information. This includes emails from services like Microsoft Outlook and data from critical sectors such as energy, information technology, and telecommunications. There are also reports that attackers successfully accessed data from government entities in Africa. This incident highlights the risks associated with insecure home and small office network infrastructure, especially in the era of hybrid and remote work. Organizations are advised to strengthen defenses by implementing measures such as Multi-Factor Authentication (MFA), avoiding insecure network devices, and regularly updating software to prevent attacks and data breaches.
Source https://hackread.com/russian-forest-blizzard-hackers-hijack-home-routers/