Key Findings

• Russian GRU-attributed threat group Forest Blizzard compromised over 18,000 routers across 120+ countries for large-scale espionage before being neutralized

• Attackers exploited known vulnerabilities in TP-Link and MicroTik routers to hijack DNS settings and steal credentials via man-in-the-middle attacks

• Campaign impacted more than 200 organizations and at least 5,000 consumer devices globally, including government agencies and critical infrastructure sectors

• FBI conducted court-authorized Operation Masquerade to reset DNS settings and prevent further exploitation across compromised U.S. routers

• Espionage activity has ceased with gradual infrastructure decline observed over recent weeks

Background

Forest Blizzard, also known as APT28 and Fancy Bear, is a threat group attributed to Russia's Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165. The group launched this widespread campaign targeting network edge devices after the UK's National Cyber Security Centre published a malware analysis report in August about a tool used to steal Microsoft Office credentials. Lumen's Black Lotus Labs observed the exploitation surge beginning the day after that publication.

Attack Methodology

The threat group employed adversary-in-the-middle attacks by hijacking router DNS settings to redirect traffic to fake domains mimicking legitimate services like Microsoft Outlook Web Access. This allowed them to intercept passwords, OAuth tokens, and credentials for Microsoft accounts and other cloud services. The attackers operated opportunistically at first, compromising routers before identifying targets of intelligence interest to the Russian government.

Targets and Impact

Forest Blizzard targeted individuals and organizations in military, government, and critical infrastructure sectors across multiple continents. Victims included government agencies and organizations in IT, telecom, and energy sectors. Lumen identified additional compromised targets linked to Afghanistan's government, foreign affairs ministries, and national law enforcement agencies in North Africa, Central America, and Southeast Asia. An unnamed European country's national identity platform was also affected. Notably, Lumen found no evidence of compromised U.S. government agencies, though the FBI remediated routers weaponized in over 23 U.S. states.

Takedown Operation

Operation Masquerade was a collaborative effort led by the FBI with support from the Justice Department, National Security Division, Lumen's Black Lotus Labs, and Microsoft Threat Intelligence. The operation involved court-authorized commands designed to reset DNS settings on compromised American routers and prevent the threat group from further exploiting their initial access point. Microsoft confirmed that company-owned assets or services were not compromised during the campaign, though sensitive information exposure through intercepted credentials remains a serious concern.

Sources

• https://cyberscoop.com/forest-blizzard-apt28-routers-espionage-campaign-operation-masquerade/

• https://x.com/TheCyberSecHub/status/2041665389013442782

• https://www.socdefenders.ai/item/910a0333-1b54-433e-b3cd-d823a55ea9ee