The operation, announced on April 7, was aimed at infrastructure linked to GRU Military Unit 26165, a unit long associated with espionage and political cyber operations in Europe and the United States. Officials said the routers had been turned into part of a malicious Domain Name System hijacking network, allowing the operators to manipulate how web traffic was routed and to position themselves between users and trusted online services. That, in turn, created an opening to capture passwords, authentication tokens, emails and other sensitive information.
What made the campaign notable was its scale and its use of ordinary small-office and home-office equipment rather than headline-grabbing attacks on large corporate systems. The Justice Department said the actors exploited known vulnerabilities to compromise thousands of TP-Link routers worldwide, while British and U. S. government alerts also pointed to MikroTik devices and other edge hardware as part of the wider abuse. Security agencies said the activity was indiscriminate at the outset, with a broad pool of devices compromised first and selected victims filtered later on the basis of intelligence value.
According to the official account, the hackers altered router settings so DNS requests were sent to servers under their control. In many cases, the altered infrastructure quietly passed queries onward, allowing the operators to observe traffic patterns and map networks without alerting the user. For selected targets, however, the operation shifted from passive surveillance to active interception. Fraudulent DNS responses steered victims towards infrastructure mimicking legitimate services, including Microsoft Outlook Web Access, enabling what cyber specialists describe as adversary-in-the-middle attacks.
Microsoft said it had identified more than 200 organisations and 5,000 consumer devices affected by the malicious DNS infrastructure, adding that the campaign touched government, information technology, telecommunications and energy networks. The company said this was the first time it had observed Forest Blizzard using DNS hijacking at scale to support adversary-in-the-middle attacks against Transport Layer Security connections after exploiting edge devices. It also said there was no sign that Microsoft-owned assets or services themselves had been compromised.
Further detail from Lumen Technologies’ Black Lotus Labs suggested the campaign had been evolving for months. Lumen said the earliest activity it tracked began in May 2025 and that the operation broadened sharply in the second half of last year, peaking in December with more than 18,000 moderate-confidence victim IP addresses from at least 120 countries communicating with the actor’s infrastructure. It said many of the apparent targets were foreign ministries, law-enforcement bodies, third-party email providers and other state-linked or strategically relevant entities across North Africa, Central America, Southeast Asia and Europe.
The international dimension was underlined by coordinated warnings from Britain and Germany. Britain’s National Cyber Security Centre said the operation exploited routers to overwrite DHCP and DNS settings, exposing organisations to credential theft, data manipulation and broader compromise. Germany’s domestic intelligence agency said several dozen affected devices had been identified there and tied the campaign to APT28’s continuing espionage activity against state, political and infrastructure targets. Reuters reported that the U. S. takedown involved partners in 15 countries, showing how law enforcement and private-sector threat researchers are increasingly working together against state-linked cyber campaigns.
For governments and businesses, the case is another reminder that cyber risk often sits at the network edge, especially in home-working and hybrid environments where unmanaged routers can become a weak point. U. S. and British officials urged users to change default credentials, disable remote management from the open internet, update firmware and replace end-of-support devices. They also warned users to treat certificate warnings seriously, since the success of interception attacks can depend on a victim clicking through an invalid security prompt.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
