A new campaign by Russia-linked threat actor APT28, also known as Forest Blizzard, has been discovered targeting small office/home office routers globally to conduct DNS hijacking attacks on critical infrastructure.
Overview
This incident represents a significant development in the cybersecurity threat landscape. Security researchers and analysts at TheCyberSecurity.Network have been tracking APT28 (Forest Blizzard / Fancy Bear) closely. The group, attributed to Russia’s GRU military intelligence, has been using compromised SOHO routers as a launchpad to intercept and manipulate DNS queries targeting government and critical infrastructure organizations.
Technical Details
The attack chain involves:
- Initial access via default/weak credentials on SOHO routers (MikroTik, TP-Link, ASUS)
- Router firmware modification to redirect DNS queries to attacker-controlled resolvers
- Man-in-the-middle positioning to intercept credentials and session tokens
- Lateral movement into target networks via compromised VPN and remote access solutions
Impact Assessment
Severity: Critical
Organizations in government, defense, energy and telecommunications sectors are most at risk. Successful DNS hijacking allows attackers to intercept credentials, redirect users to phishing pages, and maintain persistent access to target networks without detection.
Indicators of Compromise (IOCs)
Security teams should monitor for:
- Unexpected DNS server changes on SOHO routers
- Unusual outbound DNS traffic to non-standard resolvers
- Router admin panel access from unexpected IP ranges
- Certificate errors on normally trusted sites (sign of MitM)
Recommended Mitigations
- Change all default router credentials immediately
- Update router firmware to the latest version
- Disable remote management unless absolutely necessary
- Implement DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)
- Monitor DNS query logs for anomalies
- Segment SOHO routers from critical network infrastructure
References
- CISA Advisory AA23-203A
- Microsoft Threat Intelligence Blog — Forest Blizzard
- NIST NVD Database
Written by Tarang Parmar (CEH) — TheCyberSecurity.Network. Read time: 6 min.