'This puts organizations at risk of credential theft, data manipulation and broader compromise': UK government, Microsoft warn Russian hackers are
hitting TP-Link home routers to hijack internet traffic

Date:
Wed, 08 Apr 2026 10:24:24 +0000

Description:
SOHO endpoints are being used as gateways into corporate environments, where credentials and sensitive data gets harvested.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Become a Member in Seconds Unlock instant access to exclusive member features. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
now subscribed Your newsletter sign-up was successful Join the club Get full access to premium articles, exclusive features and a growing list of member rewards. Explore An account already exists for this email address, please log in. Subscribe to our newsletter Forest Blizzard (APT28) hijacks SOHO devices for espionage Attackers reroute DNS traffic to enable surveillance and AiTM attacks Campaign impacts 200+ organizations across government, IT, telecom, and energy sectors Russian state-sponsored threat actors are targeting poorly protected Small Office/Home Office (SOHO) devices and using them to pivot
into enterprise and corporate environments, experts have claimed.

A report from Microsoft Threat Intelligence has warned about a large-scale attack by Forest Blizzard (AKA APT28) targeting TP-Link routers. So far, more than 200 organizations and more than 5,000 consumer devices have been
impacted by the attack, Microsoft said, noting the group is mostly interested in cyber-espionage and intelligence gathering. Article continues below You
may like Russian hackers target European firms with new spear-phishing cyberattacks Watch out Microsoft Teams users - hackers are spreading a dangerous new phishing scam, here's what we know NGINX servers hijacked in global campaign to redirect traffic What happened? The campaign apparently started in August 2025, and instead of targeting corporate networks directly, Forest Blizzard focused on edge devices such as home routers, which often
lack strong security controls and oversight present in enterprise environments.

Microsoft did not explicitly say how the attackers break into these endpoints but suggests they might have default or easy-to-crack passwords or known but unpatched vulnerabilities that can easily be exploited.

Once inside, they change the devices configuration to route Domain Name
System (DNS) traffic through infrastructure they control, allowing them to monitor, and even influence, how infected devices resolve domain names.

By operating at this upstream level, APT28 gained broad visibility into network activity across both consumer and enterprise environments. This not only allows them to conduct passive surveillance at scale but also prepares the terrain for more targeted follow-on attacks against organizations of higher value. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
or sponsors By submitting your information you agree to the Terms &
Conditions and Privacy Policy and are aged 16 or over.

The DNS acts like the internets address book. So, instead of sending requests to legitimate DNS servers, compromised devices are actually being redirected to servers under the attackers control. In more targeted cases, the threat actors would manipulate DNS responses to redirect victims to fake versions of legitimate services, resulting in whats known as an Adversary-in-the-Middle (AitM) attack.

This, in turn, allows APT28s operatives to intercept data as it moves between the user and the real service.

If the victim ignores browser warnings about invalid security certificates (which, truth be told, many of us often do), the attackers may be able to capture sensitive information, including login credentials and emails. What
to read next The silent DNS malware thats redefining email and web-based cyberattacks Asus routers hijacked to power dangerous cybercrime proxy
network - here's what we know Signal is being targeted by Russian hackers in
a huge new phishing campaign, FBI says Who is targeted? Russian hackers are interested in cyber-espionage and intelligence gathering. (Image credit: Shutterstock) The campaign affects a wide range of sectors, Microsoft stressed, including government agencies, information technology, telecommunications, and energy. While thousands of home and small office devices were compromised, Forest Blizzard appears to use the most intrusive follow-on attacks selectively, focusing on high-value targets.

They use AitM attacks to intercept emails and cloud data, but the sheer
number of compromised devices give them a lot of maneuver space, for possibly larger-scale campaigns in the future.

While the number of organizations specifically targeted for TLS AiTM is only
a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actors broad access could enable larger-scale AiTM attacks, which might include active traffic interception, Microsoft warned.

Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft
has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.

To defend against DNS hijacking, Microsoft advises organizations enforce trusted DNS servers, block malicious domains, maintain DNS logs, and avoid SOHO devices in corporate networks.

For AiTM and credential theft, they recommend centralizing identity management, enabling Single Sign-On, enforcing multifactor authentication (MFA) and passkeys, applying Conditional Access policies, and monitoring
risky sign-ins with continuous access evaluation. Organizations should log identity activity, protect privileged accounts with phishing-resistant MFA, and follow Microsofts incident response best practices for recovering from systemic identity compromises. Network protection via Microsoft Defender for Endpoint is also recommended to block malicious sites. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



======================================================================
Link to news story: https://www.techradar.com/pro/security/this-puts-organizations-at-risk-of-cred ential-theft-data-manipulation-and-broader-compromise-uk-government-microsoft- warn-russian-hackers-are-hitting-tp-link-home-routers-to-hijack-internet-traff ic


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)