Full Report
Forest Blizzard, a threat group attributed to Russia’s GRU, hijacked network traffic to steal credentials and tokens for Microsoft accounts and other services. The post Feds quash widespread Russia-backed espionage network spanning 18,000 devices appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Forest Blizzard
## Attribution & Identity
* **Primary Name:** Forest Blizzard
* **Aliases:** APT28, Fancy Bear
* **Associated Groups:** Russian Main Intelligence Directorate of the General Staff (GRU), specifically Military Unit 26165.
## Activity Summary
Operation Masquerade was a large-scale espionage campaign (neutralized in April 2026) that involved the compromise of over 18,000 routers across 120 countries. Starting as early as August (linked to a UK NCSC report), the group established an expansive network to hijack DNS traffic and redirect users to malicious domains mimicking legitimate services to harvest credentials and OAuth tokens.
## Tactics, Techniques & Procedures
* **Exploitation of Edge Devices:** Exploiting known vulnerabilities in SOHO (Small Office/Home Office) routers to gain initial access.
* **DNS Hijacking:** Altering DNS settings on compromised routers to redirect traffic.
* **Adversary-in-the-Middle (AiTM):** Intercepting traffic between users and legitimate services.
* **Credential/Token Theft:** Stealing passwords, OAuth tokens, and Microsoft account credentials.
* **Typosquatting/Masquerading:** Creating domains that mimic legitimate services like Microsoft Outlook Web Access (OWA).
* **Opportunistic to Targeted Pivot:** Initial wide-scale exploitation of consumer devices followed by identifying and focusing on targets of high intelligence value.
## Targeting
* **Sectors:** Military, Government, Critical Infrastructure, IT, Telecom, Energy, and National Law Enforcement agencies.
* **Geography:** Global (120+ countries), with specific mentions of the United States (23+ states), Afghanistan, North Africa, Central America, Southeast Asia, and Europe.
* **Victims:** Over 200 organizations and 5,000 consumer devices; specific targets included an unnamed European national identity platform and various foreign affairs ministries.
## Tools & Infrastructure
* **Malware families used:** Unnamed tool for stealing Microsoft Office credentials (referenced via UK NCSC).
* **Infrastructure:**
* **Hardware:** TP-Link and MikroTik routers used as proxy/hijacking nodes.
* **Domains:** Malicious domains mimicking Microsoft Outlook Web Access (OWA).
* **Status:** Infrastructure communication has seen a "gradual decline" following the FBI's court-authorized disruption.
## Implications
This campaign demonstrates the GRU’s ability to weaponize consumer-grade hardware (SOHO routers) at a massive scale to create a global "masquerade" network. By controlling the DNS layer, the actor can bypass many traditional security perimeters, posing a grave national security threat to government communications and critical infrastructure by gaining persistent access to cloud-hosted content and sensitive internal accounts.
## Mitigations
* **Router Hardening:** Regularly update firmware on TP-Link, MikroTik, and other SOHO routers to patch known vulnerabilities.
* **DNS Security:** Implement DNS filtering and monitor for unauthorized changes to DNS settings on network devices.
* **Authentication:** Shift toward FIDO2-based multi-factor authentication (MFA) to resist session token theft and AiTM attacks, as traditional MFA can be bypassed by the TTPs described.
* **Traffic Monitoring:** Inspect network traffic for unauthorized redirects or connections to suspicious domains mimicking OWA or other internal portals.
* **Credential Resets:** For organizations suspecting compromise, reset credentials and revoke active OAuth tokens.