Russia's APT28 threat group — tracked by Microsoft as Forest Blizzard and also known as Fancy Bear, STRONTIUM, and Pawn Storm — has been observed conducting a novel "malwareless" espionage campaign that harvests login credentials from global organizations by modifying a single DNS setting in vulnerable small office/home office (SOHO) routers. The technique requires no malware on victim endpoints, making it exceptionally difficult to detect through traditional endpoint security tools.
The Attack: One DNS Change, Unlimited Credential Harvesting
The elegance of this campaign lies in its simplicity. Rather than deploying custom malware or exploiting complex software vulnerabilities on target systems, Forest Blizzard:
- Identifies and compromises vulnerable SOHO routers at or near target organizations — routers running outdated firmware, using default credentials, or exposed to public management interfaces
- Modifies the router's DNS server settings to point to an attacker-controlled DNS resolver
- Operates a malicious DNS resolver that responds to DNS queries for targeted services (email portals, VPN gateways, Microsoft 365, cloud services) with IP addresses pointing to attacker-controlled phishing proxies
- All devices on the network automatically route credential-bearing traffic through the poisoned DNS without any configuration change on the endpoints themselves
- Captured credentials are silently logged for later use in espionage operations
The attack is described by researchers as "fileless malware" taken to its logical extreme — it is not merely fileless on the endpoint, it requires no malware anywhere in the victim's environment at all.
Why SOHO Routers Are the Perfect Entry Point
SOHO routers represent a persistently underprotected segment of the network attack surface:
| Vulnerability Factor | Detail |
|---|---|
| Default credentials | A large proportion of deployed SOHO routers retain manufacturer default admin passwords |
| Outdated firmware | Router firmware is rarely updated; many run firmware years out of date with known CVEs |
| Exposed management interfaces | Many routers have web UIs or Telnet/SSH exposed to the internet |
| No EDR/AV coverage | Endpoint security tools have zero visibility into router configuration changes |
| Trusted network position | Routers sit upstream of all endpoint traffic — DNS modifications affect every device simultaneously |
| Low detection rate | DNS setting changes generate no alerts in standard SIEM/SOC monitoring |
For a nation-state actor like APT28 with extensive capabilities for scanning and exploiting internet-exposed devices, gaining control of SOHO routers at target organizations is a relatively low-cost operation with exceptional intelligence yield.
Targets and Scope
Forest Blizzard has historically targeted organizations aligned with Russian geopolitical intelligence priorities:
- Government ministries and agencies across NATO member states
- Defence contractors and defence industrial base organizations
- Energy sector companies in Europe and North America
- Think tanks and NGOs engaged in Eastern European security policy
- Media organizations covering Russian government and military affairs
The DNS-based credential harvesting technique is particularly effective against organizations where employees use web-based email (Microsoft 365, Google Workspace), VPN portals, or cloud services — essentially all modern organizations.
How the Attack Remains Undetected
Several properties of this technique make it unusually difficult to detect:
No Endpoint Artifacts
Traditional detection methods — EDR behavioral monitoring, antivirus scanning, memory analysis — have nothing to detect. No malicious binary executes, no malicious process runs, no file is dropped on any endpoint.
DNS Changes Are Rarely Monitored
Most organizations monitor endpoint logs, firewall logs, and server logs, but few baseline and monitor DNS configuration on network devices. A DNS server change on a SOHO router generates no alert in most SOC environments.
Traffic Appears Legitimate
From the network perspective, users successfully authenticate to what appears to be their normal services. The phishing proxy passes through traffic after capturing credentials, so users may notice no service disruption.
Certificate Challenges (but Surmountable)
For HTTPS services, the phishing proxy would normally trigger certificate warnings. APT28 is assessed to have obtained or forged certificates, use HSTS bypass techniques, or target environments where certificate validation has been weakened.
Detection and Mitigation
For Organisations
| Control | Implementation |
|---|---|
| Audit SOHO router DNS settings | Regularly verify that router DNS settings match expected values (ISP DNS or org-approved resolvers) |
| Replace SOHO routers in sensitive roles | Use enterprise-grade managed networking equipment that supports config auditing and change alerts |
| DNSSEC validation | Enable DNSSEC where possible to cryptographically validate DNS responses |
| DNS-over-HTTPS (DoH) / DNS-over-TLS (DoT) | Force endpoints to use encrypted DNS to bypass router-level DNS hijacking |
| Phishing-resistant MFA | FIDO2/WebAuthn hardware keys are not susceptible to credential harvesting via phishing proxies |
| Zero Trust Network Access (ZTNA) | Device health verification and identity verification at every access request reduces reliance on network-layer trust |
| Network monitoring for DNS anomalies | Alert on DNS resolution returning unexpected IPs for known organizational services |
For SOHO Router Owners
# Immediate checks:
# 1. Log in to your router admin panel
# 2. Navigate to WAN settings or Internet settings
# 3. Verify DNS server settings — should match your ISP's DNS or your chosen resolver
# (e.g., 1.1.1.1 / 8.8.8.8 — NOT an unfamiliar IP)
# 4. Check for any admin account additions you did not create
# 5. Verify firmware version — update if outdated
# If DNS settings are unexpected:
# - Reset router to factory defaults
# - Apply latest firmware immediately
# - Change all admin credentials to strong unique passwords
# - Disable remote management if not requiredAPT28 in Context
APT28 (GRU Military Unit 26165) is one of Russia's most persistent and capable cyber espionage groups. The group has been responsible for:
- Operation Olympic Destroyer — destructive attack on the 2018 Winter Olympics
- DNC breach (2016) — election interference operations
- WADA hack — theft and leak of athlete medical records
- Ongoing Ukraine targeting — sustained campaign since 2022
The SOHO router DNS hijacking technique represents a maturation in APT28's operational tradecraft: by moving the attack upstream of the endpoint entirely, the group sidesteps the increasingly capable endpoint detection tools deployed by their targets. It is a reminder that network device security is as important as endpoint security in defending against nation-state adversaries.
Source: Dark Reading — Russia's Forest Blizzard Nabs Rafts of Logins Via SOHO Routers