The latest National Cyber Security Centre warning arrives with an unusual twist: the weak point is not only the target network, but the small router sitting at the edge of it. In a campaign tied to Russian military intelligence, compromised home and small-office devices were used to alter DNS requests and build a covert platform for surveillance. The scale matters. More than 200 organizations and 5, 000 consumer devices were affected by malicious DNS infrastructure, turning an ordinary connectivity layer into an intelligence tool.
Why this matters right now
The immediate concern is that the campaign does not depend on breaching a well-defended corporate core first. Instead, it exploits insecure SOHO equipment that often receives less monitoring and management. That makes the National Cyber Security Centre warning especially relevant for remote and hybrid work setups, where home and small-office devices can sit upstream of larger targets. Microsoft Threat Intelligence says the actor behind the activity, Forest Blizzard, linked to Russian military intelligence and its sub-group Storm-2754, has been exploiting vulnerable devices since at least August 2025.
That timing matters because it suggests a sustained operation rather than a one-off intrusion. By hijacking DNS, the actor can gain persistent, passive visibility and reconnaissance at scale. The method also creates a bridge into enterprise environments through assets that may not be governed with the same controls as internal systems. In practical terms, that means a device intended to route traffic can become part of the attack infrastructure itself.
How the compromise works
The core technique described in the campaign is simple in concept but serious in effect: Forest Blizzard compromises insecure routers, then changes their settings so they begin handling traffic in a way that benefits the attacker. Once those settings are altered, the devices can be used to hide malicious activity behind legitimate infrastructure and to support follow-on operations.
This is where the National Cyber Security Centre warning intersects with the technical risk. DNS hijacking allows an attacker to redirect or observe traffic in ways that are difficult to notice without strong monitoring. Microsoft says the campaign has also supported adversary-in-the-middle attacks on Transport Layer Security connections against Microsoft Outlook on the web domains. That opens the door to interception of cloud-hosted content, including activity affecting government, information technology, telecommunications, and energy sectors.
The broader implication is that a compromise at the network edge can undermine trust in what should be routine connections. Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale adversary-in-the-middle attacks, including active traffic interception, even though the currently targeted organizations represent only a subset of the networks with vulnerable SOHO devices.
What experts are warning defenders to watch
Microsoft Threat Intelligence says it is sharing the campaign details to increase awareness of risks tied to insecure home and small-office internet routing devices and to provide tools for mitigation, detection, and hunting. Its analysis emphasizes that unmanaged SOHO devices, especially those used by remote and hybrid employees, can expose cloud access and sensitive data even when enterprise environments and cloud services remain secure.
That point is central to the National Cyber Security Centre warning because the risk is not limited to a single compromised endpoint. It extends to the infrastructure that shapes how traffic reaches the cloud. Microsoft also says telemetry did not indicate compromise of Microsoft-owned assets or services, which helps narrow the scope of what was directly affected, but does not reduce the operational value of the campaign for the threat actor.
Forest Blizzard’s behavior also fits its wider intelligence-collection role in support of Russian government foreign policy initiatives. The campaign shows how an actor can leverage ordinary network devices to sustain access, collect traffic, and potentially support additional intrusions without needing to overrun the primary target immediately.
Regional and global impact
Although the affected devices and organizations are spread across multiple sectors, the consequences are especially sharp for institutions that depend on cloud access and distributed workforces. The same setup that enables flexibility for employees can widen the attack surface if home routers and small-office devices are left insecure. The National Cyber Security Centre warning therefore speaks to a broader structural issue: the boundary between personal infrastructure and organizational security has become much thinner.
Globally, the campaign reinforces a pattern in which state-linked actors seek persistence by exploiting overlooked infrastructure rather than only the most heavily defended systems. That approach can scale quickly, and it can remain hidden long enough to support reconnaissance and interception before defenders notice abnormal traffic behavior.
The key question now is whether organizations will treat edge devices with the same urgency they already give to endpoint and cloud defenses, or whether this campaign will become another reminder that the weakest router can still decide how secure the whole network really is.
