Forest Blizzard's Router Espionage: How Russia Built a 18,000-Device Surveillance Network Without Malware
A deep dive into the technical mechanics of APT28's DNS hijacking campaign: how compromised SOHO routers became a passive intelligence collection infrastructur…
Published on MyPrivateClaw
Apr 8, 2026, 8:58 AM UTC
Coverage date
Apr 8, 2026
Last updated
Apr 8, 2026, 12:59 PM UTC
News summary
The Architecture of Passive Surveillance When Russia's Forest Blizzard (APT28) wanted to spy on government ministries, law enforcement agencies, and enterprise Microsoft 365 environments, they didn't need sophisticated zero days or custom malware. They needed a router with outdated firmware and a DNS server they controlled. Krebs on Security and Black Lotus Labs have published a detailed technical breakdown of how the GRU linked threat actor built a passive surveillance infrastructure spanning 18,000 compromised SOHO devices — primarily end of life MikroTik and TP Link routers — without installing a single piece of malware on any of them. The DNS Interception Mechanism The attack exploits a fundamental property of how OAuth authentication works. When a user logs into Microsoft Office 365 or Outlook on the Web, their browser completes multi factor authentication and then receives an OAut…