Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office Internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure.
The threat actor then hides behind this legitAimate but compromised infrastructure to spy on additional targets or conduct follow-on attacks, according to Microsoft Threat Intelligence.
Since at least August 2025, Forest Blizzard has been exploiting vulnerable SOHO internet devices to hijack DNS traffic, enabling passive collection of network data while concealing follow‑on operations behind legitimate infrastructure.
According to Microsoft Threat Intelligence, this lets the actor gain visibility into larger, more hardened environments without directly breaching corporate networks.
Microsoft has identified more than 200 organisations and 5 000 consumer devices impacted by Forest Blizzard’s infiltration, either by edge router compromise, DNS hijacking or adversary‑in‑the‑middle (AiTM) attacks.
While the number of organisations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale AiTM attacks, which might include active traffic interception.
Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.