EXECUTIVE summary: Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment such as routers to hijack DNS and support AI-enabled man-in-the-middle activity, with the aim of spying on targets or conducting follow-on attacks. Since at least August 2025, the group and its sub‑group Storm-2754 have exploited vulnerable SOHO devices to hijack DNS requests and facilitate network traffic collection, enabling persistent visibility at scale.
Microsoft Threat Intelligence notes that over 200 organisations and 5,000 consumer devices have been impacted, with AiTM operations observed against Microsoft 365 domains and at least three African government servers. The attacker’s DNS hijacking often routes traffic through actor‑controlled infrastructure, occasionally presenting invalid TLS certificates to intercept plaintext data within TLS sessions.
To mitigate, the blog recommends enforcing Zero Trust DNS, logging DNS activity, centralising identity management, and enforcing MFA with Conditional Access. According to Microsoft Threat Intelligence, defenders should also monitor for router-level DNS modifications and pursue post‑compromise detection to identify AiTM activity.