Russian Hackers Are Hijacking Home Router DNS Settings

Russian Military Hackers Target Home and Office Routers

A sophisticated DNS hijacking campaign linked to the Russian military has compromised more than 5,000 consumer devices and over 200 organizations, according to new reporting from cybersecurity researchers. The threat actor behind the attacks, known as Forest Blizzard (also tracked as APT28 or Strontium), has ties to Russian military intelligence and has been active in high-profile intrusions for years.

The attack method is straightforward but highly effective. Rather than targeting individual computers or phones directly, the group modifies DNS settings on home and small-office routers. Once a router is compromised, every device connected to it, laptops, phones, smart TVs, work computers, becomes a potential target.

How DNS Hijacking Actually Works

DNS, or Domain Name System, is sometimes described as the internet's phone book. When you type a website address into your browser, your device queries a DNS server to find the numerical IP address it needs to connect. Under normal circumstances, that query goes to a trusted DNS server, often one provided by your internet service provider.

When attackers modify a router's DNS configuration, they redirect those queries to servers they control. From there, they can see exactly which sites you're trying to visit and, in some cases, intercept the actual traffic. The researchers found that this method allowed Forest Blizzard to capture plaintext data including emails and login credentials from devices connected to the compromised routers.

This is particularly concerning because many users assume their communications are protected simply because they use HTTPS websites or encrypted email services. But when DNS is hijacked at the router level, attackers gain visibility into traffic flows and can, under certain conditions, strip away that protection.

Who Is Forest Blizzard?

Forest Blizzard, also known by the aliases APT28 and Strontium, is widely attributed to Russia's GRU military intelligence agency. The group has been tied to attacks on government agencies, defense contractors, political organizations, and critical infrastructure across Europe and North America.

This campaign represents a shift in tactics toward consumer-grade infrastructure. Home and small-office routers are frequently overlooked from a security standpoint. They rarely receive firmware updates, often run on default credentials, and are not typically monitored by IT security teams. That makes them attractive entry points for a group looking to intercept communications at scale.

Compromising routers also allows attackers to maintain persistent access. Even if malware is removed from an individual device, a compromised router continues to redirect traffic until the router itself is cleaned and reconfigured.

What This Means For You

If you use a standard home or small-office router, this campaign is directly relevant to you, even if you are not a government employee or a likely espionage target. The scale of the attack, more than 5,000 consumer devices, suggests that targeting is broad rather than surgical.

There are several practical steps worth taking in response to this news.

Check your router's DNS settings. Log into your router's admin panel (typically at 192.168.1.1 or 192.168.0.1) and verify that the DNS servers listed are ones you recognize and trust. If you see unfamiliar IP addresses and did not set them yourself, that is a red flag.

Update your router's firmware. Router manufacturers periodically release firmware updates that patch security vulnerabilities. Many routers have an option to check for updates directly in the admin panel. If your router is several years old and the manufacturer no longer supports it, consider replacing it.

Change your router's default admin password. Default credentials are widely published and are among the first things attackers try. A strong, unique password for your router's admin interface significantly raises the barrier to entry.

Use a VPN with DNS leak protection. A VPN routes your traffic, including DNS queries, through an encrypted tunnel to servers outside your local network. Even if your router's DNS has been tampered with, a VPN with proper DNS leak protection ensures that your queries are resolved by the VPN provider's servers rather than an attacker's. This does not make a compromised router safe, but it significantly limits what an attacker can observe or intercept.

Consider using encrypted DNS independently. Services that support DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypt your DNS queries even without a VPN, making them harder to intercept or redirect.

The Forest Blizzard campaign is a reminder that network security starts at the router. The devices that connect your home or office to the internet deserve the same attention as the computers and phones on your desk. Keeping them updated, properly configured, and monitored is not optional, it is the foundation on which everything else rests. If you have not reviewed your router settings recently, now is a good time to start.