Microsoft exposes Russian hacker group hijacking home routers for spying

Microsoft’s threat intelligence team has revealed how Forest Blizzard, a hacker group linked to the Russian military, has been turning ordinary home and small office routers into spying tools.

In a blog released this week, alongside an FBI operation, Microsoft explained that the group changes router settings to secretly collect internet traffic and hide its attacks behind normal‑looking systems.

Weak internet

Since August 2025, Forest Blizzard has been exploiting weak internet devices to hijack DNS traffic – a method that lets them watch bigger, more secure networks without breaking directly into company systems.

“By targeting these ‘edge’ devices, hackers can slip into enterprise environments through less protected entry points.”

Microsoft says more than 200 organisations and 5 000 consumer devices have been affected, though none of its own systems were compromised.

“Still, the company warns that this marks a serious escalation in how state‑backed hackers use everyday devices to spy and potentially intercept secure communications.”

Attacks

According to Microsoft, the group has also used this method to launch “man‑in‑the‑middle” attacks against Microsoft Outlook web connections, allowing them to intercept cloud‑hosted content.

Targets include government, IT, telecoms and energy sectors.

“While Russian intelligence has long targeted small office routers, Microsoft notes this is the first time it has seen Forest Blizzard use DNS hijacking at such a large scale to support interception of secure traffic.”

Collecting intelligence

According to Microsoft, this approach allows hackers to gain visibility into larger, more hardened environments without directly breaching corporate networks.

“By compromising edge devices upstream of bigger targets, attackers exploit less closely monitored assets to pivot into enterprise systems.

“Researchers say the operation represents a significant escalation in how nation‑state actors weaponise unmanaged devices and could enable larger‑scale interception in the future,” Microsoft said.

Warning

Forest Blizzard, which primarily collects intelligence in support of Russian government foreign policy, has leveraged its DNS hijacking activity to support post‑compromise attacks on Transport Layer Security (TLS) connections.

Microsoft warned that while only a subset of networks were targeted for TLS interception, the group’s broad access could enable larger‑scale attacks.

Microsoft also outlined a number of other steps to be taken, and the products in its suite that can best address any potential issues identified during this latest report on Forest Blizzard.