• Home
  • cyber
  • Government servers in Africa: SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks
cyber Cyber Attack

Government servers in Africa: SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Apr 7, 2026 3 min read
Government servers in Africa: SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Russian APT Forest Blizzard Exploits SOHO Routers for Large-Scale DNS Hijacking and Espionage

Since at least August 2025, the Russian military-linked threat actor Forest Blizzard (also tracked as Storm-2754) has conducted a widespread campaign targeting vulnerable small office/home office (SOHO) routers to hijack Domain Name System (DNS) requests and facilitate large-scale surveillance. Microsoft Threat Intelligence identified over 200 organizations and 5,000 consumer devices compromised in this operation, though Microsoft’s own assets remained unaffected.

Forest Blizzard, known for intelligence-gathering in support of Russian foreign policy, exploited insecure edge devices to reroute DNS traffic through actor-controlled resolvers, enabling passive reconnaissance and follow-on attacks. The group leveraged this access to conduct adversary-in-the-middle (AiTM) attacks against Transport Layer Security (TLS) connections, including Microsoft Outlook on the web domains, intercepting cloud-hosted content from sectors such as government, IT, telecommunications, and energy typical targets for Russian cyber espionage.

Attack Chain: From Router Compromise to AiTM

  1. Initial Access – Forest Blizzard gained control of SOHO routers, altering their DNS settings to redirect queries to malicious servers.
  2. DNS Hijacking – Using the legitimate dnsmasq utility, the actor resolved DNS requests while monitoring traffic for intelligence collection.
  3. AiTM Attacks – In select cases, the group spoofed DNS responses to force connections to attacker-controlled infrastructure, presenting invalid TLS certificates to intercept plaintext traffic including emails if users ignored security warnings.

While most DNS hijacking activity remained passive, Microsoft observed targeted AiTM operations against:

  • Microsoft 365 domains (Outlook on the web)
  • Government servers in Africa, where Forest Blizzard intercepted DNS requests for follow-on collection.

Impact and Broader Risks

Though only a subset of compromised networks faced active AiTM attacks, the campaign demonstrates how unmanaged SOHO devices often used by remote workers can serve as entry points into enterprise environments. Forest Blizzard’s access could enable larger-scale interception, malware deployment, or denial-of-service attacks in future operations.

This marks the first time Microsoft has documented Forest Blizzard using DNS hijacking at scale to support AiTM attacks, though Russian military intelligence has historically targeted edge devices for espionage. The group’s selective use of AiTM suggests a focus on high-priority intelligence targets post-compromise.

Source: https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/

Analytical Center for the Government of the Russian Federation cybersecurity rating report: https://www.rankiteo.com/company/analytical-center-for-the-government-of-the-russian-federation

"id": "ANA1775660330",
"linkid": "analytical-center-for-the-government-of-the-russian-federation",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"
{'affected_entities': [{'customers_affected': 'Over 200 organizations and '
                                              '5,000 consumer devices',
                        'industry': ['Government',
                                     'Information Technology',
                                     'Telecommunications',
                                     'Energy'],
                        'location': ['Africa', 'Global (unspecified)'],
                        'type': ['Government',
                                 'IT',
                                 'Telecommunications',
                                 'Energy']}],
 'attack_vector': ['Exploiting vulnerable SOHO routers',
                   'DNS hijacking',
                   'TLS interception'],
 'data_breach': {'data_encryption': 'Bypassed via invalid TLS certificates in '
                                    'AiTM attacks',
                 'personally_identifiable_information': 'Likely (emails, '
                                                        'cloud-hosted content)',
                 'sensitivity_of_data': 'High (intelligence-related, '
                                        'personally identifiable information)',
                 'type_of_data_compromised': ['DNS traffic',
                                              'TLS-encrypted communications',
                                              'Emails',
                                              'Cloud-hosted content']},
 'date_detected': '2025-08-01',
 'description': 'Since at least August 2025, the Russian military-linked '
                'threat actor Forest Blizzard (also tracked as Storm-2754) has '
                'conducted a widespread campaign targeting vulnerable small '
                'office/home office (SOHO) routers to hijack Domain Name '
                'System (DNS) requests and facilitate large-scale '
                'surveillance. The group exploited insecure edge devices to '
                'reroute DNS traffic through actor-controlled resolvers, '
                'enabling passive reconnaissance and follow-on attacks, '
                'including adversary-in-the-middle (AiTM) attacks against TLS '
                'connections such as Microsoft Outlook on the web domains.',
 'impact': {'data_compromised': 'DNS traffic, TLS-encrypted communications '
                                '(e.g., emails), cloud-hosted content',
            'identity_theft_risk': 'High (interception of personally '
                                   'identifiable information)',
            'operational_impact': 'Potential for larger-scale interception, '
                                  'malware deployment, or denial-of-service '
                                  'attacks',
            'systems_affected': ['SOHO routers',
                                 'DNS resolvers',
                                 'Microsoft 365 domains (Outlook on the web)',
                                 'Government servers']},
 'initial_access_broker': {'entry_point': 'Vulnerable SOHO routers',
                           'high_value_targets': ['Government',
                                                  'IT',
                                                  'Telecommunications',
                                                  'Energy']},
 'investigation_status': 'Ongoing (as of disclosure)',
 'lessons_learned': 'Unmanaged SOHO devices can serve as entry points into '
                    'enterprise environments, enabling large-scale '
                    'surveillance and follow-on attacks. Organizations should '
                    'secure edge devices and monitor DNS traffic for '
                    'anomalies.',
 'motivation': 'Intelligence-gathering in support of Russian foreign policy',
 'post_incident_analysis': {'corrective_actions': ['Patch and secure SOHO '
                                                   'routers',
                                                   'Deploy DNS monitoring and '
                                                   'anomaly detection',
                                                   'Enforce strict TLS '
                                                   'certificate validation',
                                                   'Implement network '
                                                   'segmentation'],
                            'root_causes': ['Exploitation of insecure SOHO '
                                            'routers',
                                            'DNS hijacking via dnsmasq utility',
                                            'AiTM attacks on TLS connections']},
 'recommendations': ['Secure SOHO routers with strong configurations and '
                     'regular updates',
                     'Monitor DNS traffic for unauthorized redirections',
                     'Implement multi-factor authentication (MFA) for cloud '
                     'services',
                     'Educate users on recognizing invalid TLS certificate '
                     'warnings',
                     'Segment networks to limit lateral movement from '
                     'compromised edge devices'],
 'references': [{'source': 'Microsoft Threat Intelligence'}],
 'response': {'third_party_assistance': 'Microsoft Threat Intelligence'},
 'threat_actor': 'Forest Blizzard (Storm-2754, Russian military-linked APT)',
 'title': 'Russian APT Forest Blizzard Exploits SOHO Routers for Large-Scale '
          'DNS Hijacking and Espionage',
 'type': ['Espionage', 'DNS Hijacking', 'Adversary-in-the-Middle (AiTM)'],
 'vulnerability_exploited': 'Insecure SOHO routers with default or weak '
                            'configurations'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.