THE US Department of Justice and the FBI announced that they have disrupted a network of hacked SOHO routers used by Russia in an espionage operation. According to US authorities, the attacks have been tied to the threat actors known as APT28, Forest Blizzard, and Fancy Bear. The hackers targeted vulnerable TP-Link and MikroTik routers, altering DHCP and DNS settings to route traffic through the attackers’ infrastructure in an adversary-in-the-middle attack.
Microsoft attributed the operation to Forest Blizzard and a group it tracks as Storm-2754, noting more than 200 organisations and 5,000 consumer devices were affected. The campaign began in August 2025, with peak activity in December 2025 when over 18,000 unique IPs from at least 120 countries communicated with Forest Blizzard’s infrastructure.
The UK’s National Cyber Security Centre has published an advisory with IoCs and defended against such attacks, while the FBI had previously disrupted a SOHO router botnet in early 2024.