And You Still Think a Free Router Is Fine for Your Business?

I've been saying it for years. I said it when I wrote about the hidden dangers of consumer-grade routers in business networks.

I've said it every time a client proudly told me their ISP threw in a "free router" with their internet plan.

And I'm saying it again now, because this week the stakes just got a whole lot harder to ignore.

Russian military intelligence is actively compromising your router right now. Not metaphorically. Not theoretically. Right now.

This Isn't Paranoia - It's Documented!

This week (6-April-2026) , Microsoft Threat Intelligence and the UK's National Cyber Security Centre (NCSC) confirmed what security professionals have long feared: a large-scale, active campaign by Forest Blizzard — also known as APT28 and Strontium — is systematically targeting home and small office routers across the globe. Forest Blizzard is directly linked to Russia's military intelligence arm, the GRU, and has been operational since at least August 2025.

The numbers are damning. Over 200 organisations and more than 5,000 consumer devices are already confirmed compromised. The targets span government, telecommunications, energy, and information technology sectors — but the entry point is almost always the same: an unmanaged, under-secured SOHO (small office/home office) router sitting quietly under a desk or on a shelf, doing its job, and doing it wide open.

Here's Exactly How They Get In

The attack is elegant (brilliant is probably a "bad" word here?) in its simplicity, and that's what makes it so dangerous.

Forest Blizzard and their sub-group Storm-2754 gain access to vulnerable routers — specifically models like the TP-Link WR841N and MikroTik devices — by exploiting known, publicly documented vulnerabilities. In the TP-Link case, they're leveraging CVE-2023-50224, an authentication bypass flaw that allows an attacker to extract stored credentials without ever needing a password.

Once inside, they don't just lurk. They modify the router's DNS configuration, replacing the legitimate DNS resolver with one they control. Here's why that's catastrophic:

• Every device on your network — laptops, phones, tablets, desktops — inherits DNS settings from the router via DHCP
• Every one of those devices silently starts routing its DNS queries to Russian intelligence-controlled servers
• The attacker then serves spoofed IP addresses, directing your staff to actor-controlled infrastructure disguised as legitimate Microsoft services
• Your staff initiates a TLS connection thinking they're logging into Outlook or SharePoint — and the attackers harvest passwords, authentication tokens, and emails in real time

This is what the industry calls an Actor-in-the-Middle (AitM) attack, and it bypasses most conventional endpoint security because the compromise happens at the network layer — before your antivirus or EDR tools ever see a single packet.

The "Free Router" Is the Trojan Horse

You've probably heard the saying "no such thing as a free lunch".

Let me be direct: ISP-supplied routers are designed to be cheap, deployed at scale, and managed by the ISP — not by you. They run locked firmware you can't easily update. They're slow to receive patches, if they receive them at all. And when a vulnerability like CVE-2023-50224 gets published, the patch timeline on those devices is anyone's guess.

Forest Blizzard doesn't need a zero-day exploit. They don't need sophisticated malware. They just need a router that hasn't been patched, hasn't had its default credentials changed, and has no active monitoring — which describes the vast majority of ISP-supplied and consumer-grade devices sitting inside Australian businesses today.

The Australian Signals Directorate (ASD) has flagged this risk explicitly, noting that across Australia there are approximately 8.3 million residential internet connections relying on home and small office routers. Every one of those that sits inside a business environment is a potential entry point.

Your Remote Workers Just Became Your Biggest Attack Surface

This campaign specifically targets remote and hybrid environments. Think about that. Your staff working from home — connecting to your cloud systems, your Microsoft 365 tenant, your line-of-business applications — are doing so through routers you have no visibility into, no control over, and no ability to patch or monitor.

Microsoft's advisory is unambiguous: "Organisations should treat unmanaged SOHO devices used by remote and hybrid employees as a viable attack surface — because for Forest Blizzard, they already are."

If your remote workers are using ISP-supplied routers at home, you are exposed. Full stop. End of Story.

What a Business-Grade Network Actually Looks Like

This is where I'd rather focus, because the solution is not complicated — it just requires commitment, an understanding of risk management and the right partner.

At Microsolve, we deploy managed internet connectivity backed by Fortinet next-generation firewalls at every site. Fortinet's FortiGate platform gives us — and by extension, you — the ability to:

• Control DNS at the network level, preventing hijacking before it reaches a single endpoint
• Monitor and enforce routing policy across every site from a single pane of glass
• Deploy SD-WAN and encrypted site-to-site VPNs so your traffic never traverses untrusted infrastructure
• Apply firmware and security policy updates proactively, not reactively
• Generate alerts when configuration changes occur — the exact type of change Forest Blizzard makes silently on compromised routers

This isn't some hypothetical capability from marketing blurb. It's what we do every day for businesses across Sydney, Wollongong, the Central Coast, and Newcastle. A Fortinet-secured network managed by Microsolve doesn't just protect against today's threat — it builds the foundation that makes tomorrow's threat significantly harder to execute.

Cybersecurity Is a Mindset, Not a Single Product

Swapping your router for a business-grade firewall is the right move, but it's one layer of a broader strategy. Our cybersecurity services include Essential Eight compliance, vCISO advisory, patch management, and multi-factor authentication — all the controls that make your organisation a harder, less attractive target.

We also help you think about your network from a Zero Trust  perspective — where no device, user, or connection is implicitly trusted, and every access request is verified. In a world where Russian state intelligence is sitting inside unmanaged routers, Zero Trust isn't a luxury. It's the baseline.

If you manage multiple sites, our managed network solutions give you full visibility, configuration management, proactive firmware patching, and carrier-grade redundancy across your entire environment. We handle the complexity so your team doesn't have to.

The Real Cost of "Free"

I hear the objection. "We're a small business. We're not a government agency. Why would Russian intelligence bother with us?"

They already answered that. The campaign is opportunistic and financially based. Forest Blizzard casts a wide net across thousands of devices, then filters down to the targets with the highest intelligence value. You don't need to be a defence contractor to end up in that net. You just need to be running a vulnerable router — and if you're running whatever your ISP handed you, there's a real chance you already are.

The free router your ISP gave you isn't costing you nothing. It's costing you visibility, control, and potentially your business's data, credentials, and reputation. I've seen the aftermath of network compromises firsthand. It is never cheap. It is never quick. And it is almost always avoidable.

If you want to talk about what a properly secured network looks like for your business, get in touch with the Microsolve team. We'll tell you exactly what you need — and exactly what you don't.