.svg){kind=spacer}
April 23, 2026
The article reports that Microsoft and Lumen researchers have linked a broad cyber-espionage campaign to Russia’s APT28, also known as Forest Blizzard, which has been harvesting credentials by compromising vulnerable SOHO routers rather than deploying conventional malware. According to the piece, the group targeted older flaws in Internet-exposed devices — especially MikroTik and TP-Link routers, and in some cases Nethesis and Fortinet products — then altered DNS settings so Web traffic would pass through attacker-controlled virtual private servers. This let the operators intercept login flows for services such as Outlook on the Web and quietly steal credentials from government, law-enforcement, critical-infrastructure, and service-provider targets across multiple regions, including organizations in North Africa, Central America, Southeast Asia, Europe, and 23 US states. The article stresses that the campaign has been both wide-reaching and unusually stealthy because the compromise often involved no malware at all, only a malicious DNS change on the router.
The piece also frames the operation as an example of how low-cost, unsophisticated tradecraft can still produce strategic espionage value. It notes that US authorities announced a court-authorized disruption effort, Operation Masquerade, on April 7, 2026, but also makes clear that the campaign was global in scope, peaking in December 2025 with 18,000 IP addresses in at least 120 countries contacting attacker infrastructure, while Microsoft identified more than 200 impacted organizations and over 5,000 consumer devices. Dark Reading highlights researchers’ concern that the deeper issue is not just poor router hygiene, but the fragility of DNS trust itself: users and organizations rely on DNS automatically, and when attackers tamper with it in the background, the compromise can be difficult to detect or assign responsibility for. The article’s broader conclusion is that APT28 did not need exotic tools to succeed — only neglected edge devices and a basic manipulation of Internet routing behavior.
Source: https://www.darkreading.com/threat-intelligence/russia-forest-blizzard-logins-soho-routers
