Hijacking DNS Settings: Russian Hackers Target SOHO Routers, Microsoft Warns
In a recent report, threat intelligence researchers from Microsoft have alerted the public to the ongoing cyberespionage activities conducted by hackers affiliated with the Russian military intelligence, known as the GRU (Main Directorate of the General Staff of the Armed Forces of the Russian Federation). This sophisticated campaign has been targeting home and small office routers, specifically manipulating their DNS settings to allow for the interception and decryption of Transport Layer Security (TLS) traffic.
The activity, tracked under multiple aliases like APT 28, Fancy Bear, and Sofacy Group, is part of a broader trend wherein nation-state actors exploit everyday technology for intelligence purposes. The most recent revelation suggests that since at least August 2025, this group has compromised over 200 organizations and approximately 5,000 consumer devices. The affected entities range across various sectors, including government, information technology, telecommunications, and energy.
According to Microsoft’s findings, hackers have successfully modified the default DNS settings of SOHO routers, rerouting them to an attacker-controlled DNS resolver. This allows the adversaries to not only collect DNS traffic but also observe DNS requests passively, ultimately enabling them to monitor encrypted traffic that would typically remain secure. The report emphasizes that exploiting SOHO devices presents minimal costs for the attackers while providing a wealth of insight into compromised networks.
While the specific methods employed to gain initial access to these routers were not disclosed in detail, it is speculated that the hackers often exploit well-known security weaknesses, such as default passwords or unpatched vulnerabilities. Routers that are no longer supported by manufacturers serve as additional gateways for infiltration. Surprisingly, for the vast majority of victims, DNS requests seemed to resolve as normal, masking the extent of the compromise.
However, for a minority of these victims, the attackers escalated their approach, launching what is referred to as an "on-path" attack. This is a computer security term that indicates an intermediary party has hijacked a communication channel to gain unauthorized access to the data being transmitted. By spoofing DNS responses for targeted domains, the attackers compelled affected devices to connect to malicious infrastructure under their control. Here, they presented fraudulent TLS certificates to victims, masquerading as trusted services, such as Microsoft applications. If a targeted user were to overlook warnings about these invalid certificates, the hackers could intercept encrypted data, rendering it into plaintext and allowing them to extract sensitive information.
Microsoft has reported that these tactics were notably employed to access Microsoft 365 domains associated with web-based Microsoft Outlook. Furthermore, separate operations targeted several non-Microsoft hosted servers located within at least three government organizations in Africa. The consequences of such data interception can be severe; if the stolen communication includes session cookies or credentials, hackers could maneuver within the environment undetected, posing as legitimate users.
The potential for post-compromise activity is particularly alarming. Microsoft suggests that the compromised environment could serve as a launchpad for not only distributing malware but also for creating conditions that lead to denial-of-service attacks aimed at targeted organizations. While current data shows no observed activity of this nature, the possibility highlights the ongoing threat posed by these sophisticated cyber actors.
This isn’t the first instance where the GRU Military Unit 26165 has targeted home routers. A significant earlier operation, announced by the U.S. Department of Justice in February 2024, aimed to neutralize a network of SOHO routers that had been repurposed by Russian intelligence for espionage. The compromised routers had been used in a variety of attacks, including phishing and credential theft, against both American and foreign government entities alongside private businesses.
Underpinning these challenges, Microsoft has highlighted the urgent need for organizations to review their cyber hygiene practices, especially concerning remote workers’ edge infrastructure. The report stresses the importance of being proactive in managing SOHO devices—particularly those used by remote employees—as compromised home networks can significantly expose cloud access and sensitive data. This holds even when traditional enterprise environments remain secure.
As the landscape of cyber threats continues to evolve, the rise in warnings tied to the GRU emphasizes the increasing sophistication of espionage tactics. Cybersecurity firms like Eset have observed that since 2024, this group has been employing highly advanced malware specifically tailored to target military personnel in Ukraine, marking a shift from the previous reliance on simpler scripts and phishing attacks.
The alarming frequency of these cyber operations raises troubling questions about the security of modern infrastructures, both personal and organizational. With the growing interconnectedness of devices and networks, the urgency of enhancing security protocols and raising awareness about potential vulnerabilities has never been more pressing. Organizations must act decisively to implement robust cyber defenses, ensuring that they can withstand what appears to be an ongoing and increasingly sophisticated campaign of cyberespionage.