British security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office (SOHO) routers in a broad cyber espionage campaign. A Microsoft blog goes into the technical details of these attacks.
The group, which we’ll refer to as APT28, but is also known under names like Fancy Bear, BlueDelta, and Forest Blizzard, changes the DNS settings of compromised routers so their traffic is sent through servers under their control, which enables APT28 to spy on users.
The domain name system (DNS) is the way that internet domain names are located and translated into Internet Protocol (IP) addresses. Devices usually get network settings from routers using Dynamic Host Configuration Protocol (DHCP).
If an attacker can tamper with the router’s DNS settings, they can silently steer traffic through infrastructure they control, harvest login details, and in some cases position themselves between the user and the real service. This is why the campaign can support credential theft and even targeted interception of Microsoft 365 and other cloud traffic.
An FBI public service announcement says that APT28:
“…has harvested passwords, authentication tokens, and sensitive information including emails and web browsing information normally protected by secure socket layer (SSL) and transport layer security (TLS) encryption.”
The FBI says the group cast a wide net over US and globally, before narrowing down their victims to those with access to information related to military, government, and critical infrastructure.
The NCSC advisory singles out a single model of TP-Link (WR841N) with a known vulnerability that enables an unauthenticated attacker to obtain information such as usernames and passwords via specially crafted HTTP GET requests. This router model is widely sold to consumers and small businesses and not typically used as standard equipment by major internet service providers. The article also includes a long but not exhaustive list of other TP-Link router models targeted by APT28.
Microsoft Threat Intelligence says it has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure.
The router ban debate
A few weeks ago, we commented on the FCC’s decision to effectively stop foreign-made routers from being imported unless their manufacturers obtain an exemption, due to what the FCC called an “unacceptable risk to the national security of the United States or the safety and security of United States persons.”
APT28’s actions show the kind of risk the FCC is trying to stop, but they also reinforce our point: while the debate over router bans and supply-chain restrictions often focuses on national origin, the bigger issue is whether the devices are secure in practice. If a router ships with weak defaults, poor update support, or a confusing setup process, it becomes a target regardless of where it was made. Attackers do not need perfection. They only need enough exposed devices to build a large, quiet infrastructure for spying and redirection.
What you can do
To check whether your settings are OK, we can only give general directions since they are sometimes very device-specific. But this method usually works:
How to check that your router’s DHCP settings match what your ISP intends:
- Check your current DHCP information on a device.
On a PC or phone connected to your home network, open the network details and note the IP address, subnet mask, default gateway, and DNS servers your device is using. - Log in to your router and find its WAN/Internet settings.
In the router’s web interface, look at the “Status” or “Internet” page to see what address it has received from the ISP, and which DNS servers it is configured to use. - Compare against what your ISP documents or tells you.
Check your ISP’s support pages or contact support to confirm what they expect: whether your connection should use DHCP or PPPoE, what range your public IP should come from, and which DNS servers they normally provide. Large mismatches (for example, DNS servers in a different country or from an unknown organization) are a reason to investigate further. - If you use custom DNS, document it.
If you deliberately use alternative DNS (for example, a privacy or security resolver), write that down and periodically re‑check that your router and clients are still using the addresses you chose.
Other measures
If you can afford it and haven’t already, upgrade to Wi-Fi 7 to help future-proof your setup while current models are still in stores.
You should at least:
- Change your router’s default usernames and passwords to something less easy to guess.
- Check the vendor’s website for updates and confirm the EOL date and update to the latest firmware versions.
- Disable remote management interfaces from the Internet where possible.
- All users should carefully consider certificate warnings in web browsers and email clients because they indicate something is wrong with the secure connection and could mean you are not talking to the genuine site.
For technically confident users, replacing vendor firmware with open-source alternatives like OpenWrt or DD-WRT can extend a router’s secure lifespan. But this comes with risks, including voiding warranties or potentially bricking your device. You should only do this, or have it done, if you’re comfortable troubleshooting.
If a US citizen suspects they have been targeted or compromised by a Russian cyberintrusion, they are asked to report the activity to their local FBI field office or file a complaint with the IC3. Be sure to provide details about the affected router, including device type and DHCP configurations.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.