Russian Hackers Target Home Routers to Infiltrate Corporate Networks

UK government and Microsoft warn of widespread DNS hijacking campaign by APT28 group

Apr. 8, 2026 at 10:24am

Got story updates? Submit your updates here. ›

A highly detailed, glowing 3D illustration of a TP-Link router with neon cyan and magenta lights emanating from its internal components, conceptually representing the digital infrastructure being hijacked by Russian hackers.Cybersecurity experts warn of a large-scale campaign by Russian state-sponsored hackers targeting vulnerable home routers to infiltrate corporate networks.NYC Today

Russian state-sponsored threat actors are targeting poorly protected Small Office/Home Office (SOHO) devices, such as TP-Link routers, and using them to pivot into enterprise and corporate environments, according to a report from Microsoft Threat Intelligence. The campaign, attributed to the Forest Blizzard (APT28) group, has impacted over 200 organizations across government, IT, telecom, and energy sectors by hijacking DNS traffic to enable surveillance and Adversary-in-the-Middle (AiTM) attacks.

Why it matters

This campaign highlights the growing threat posed by vulnerable SOHO devices, which often lack the strong security controls and oversight present in enterprise environments. By compromising these edge devices, the Russian hackers have gained broad visibility into network activity across both consumer and enterprise environments, allowing them to conduct passive surveillance at scale and prepare the terrain for more targeted follow-on attacks against high-value organizations.

The details

The campaign apparently started in August 2025, and instead of targeting corporate networks directly, Forest Blizzard focused on home routers, which often have default or easy-to-crack passwords or known but unpatched vulnerabilities. Once inside, the attackers change the devices' configuration to route Domain Name System (DNS) traffic through infrastructure they control, allowing them to monitor and even influence how infected devices resolve domain names. This enables the threat actors to intercept data as it moves between the user and the real service, potentially capturing sensitive information like login credentials and emails.

  • The campaign started in August 2025.
  • So far, more than 200 organizations and more than 5,000 consumer devices have been impacted.

The players

Forest Blizzard

Also known as APT28, a Russian state-sponsored threat group primarily interested in cyber-espionage and intelligence gathering.

Microsoft Threat Intelligence

A team of security researchers and analysts that published a report warning about the large-scale attack by Forest Blizzard targeting TP-Link routers.

Got photos? Submit your photos here. ›

What’s next

Organizations are advised to enforce trusted DNS servers, block malicious domains, maintain DNS logs, avoid SOHO devices in corporate networks, centralize identity management, enable Single Sign-On, enforce multifactor authentication, apply Conditional Access policies, and monitor risky sign-ins with continuous access evaluation.

The takeaway

This campaign highlights the growing threat posed by vulnerable SOHO devices and the need for organizations to prioritize robust security measures, including network protection, identity management, and incident response best practices, to defend against sophisticated state-sponsored cyber threats.