I've been saying it for years. I said it when I wrote about the hidden dangers of consumer-grade routers in business networks.
I've said it every time a client proudly told me their ISP threw in a "free router" with their internet plan.
And I'm saying it again now, because this week the stakes just got a whole lot harder to ignore.
Russian military intelligence is actively compromising your router right now. Not metaphorically. Not theoretically. Right now.
This week (6-April-2026) , Microsoft Threat Intelligence and the UK's National Cyber Security Centre (NCSC) confirmed what security professionals have long feared: a large-scale, active campaign by Forest Blizzard — also known as APT28 and Strontium — is systematically targeting home and small office routers across the globe. Forest Blizzard is directly linked to Russia's military intelligence arm, the GRU, and has been operational since at least August 2025.
The numbers are damning. Over 200 organisations and more than 5,000 consumer devices are already confirmed compromised. The targets span government, telecommunications, energy, and information technology sectors — but the entry point is almost always the same: an unmanaged, under-secured SOHO (small office/home office) router sitting quietly under a desk or on a shelf, doing its job, and doing it wide open.
The attack is elegant (brilliant is probably a "bad" word here?) in its simplicity, and that's what makes it so dangerous.
Forest Blizzard and their sub-group Storm-2754 gain access to vulnerable routers — specifically models like the TP-Link WR841N and MikroTik devices — by exploiting known, publicly documented vulnerabilities. In the TP-Link case, they're leveraging CVE-2023-50224, an authentication bypass flaw that allows an attacker to extract stored credentials without ever needing a password.
Once inside, they don't just lurk. They modify the router's DNS configuration, replacing the legitimate DNS resolver with one they control. Here's why that's catastrophic:
This is what the industry calls an Actor-in-the-Middle (AitM) attack, and it bypasses most conventional endpoint security because the compromise happens at the network layer — before your antivirus or EDR tools ever see a single packet.
You've probably heard the saying "no such thing as a free lunch".
Let me be direct: ISP-supplied routers are designed to be cheap, deployed at scale, and managed by the ISP — not by you. They run locked firmware you can't easily update. They're slow to receive patches, if they receive them at all. And when a vulnerability like CVE-2023-50224 gets published, the patch timeline on those devices is anyone's guess.
Forest Blizzard doesn't need a zero-day exploit. They don't need sophisticated malware. They just need a router that hasn't been patched, hasn't had its default credentials changed, and has no active monitoring — which describes the vast majority of ISP-supplied and consumer-grade devices sitting inside Australian businesses today.
The Australian Signals Directorate (ASD) has flagged this risk explicitly, noting that across Australia there are approximately 8.3 million residential internet connections relying on home and small office routers. Every one of those that sits inside a business environment is a potential entry point.
This campaign specifically targets remote and hybrid environments. Think about that. Your staff working from home — connecting to your cloud systems, your Microsoft 365 tenant, your line-of-business applications — are doing so through routers you have no visibility into, no control over, and no ability to patch or monitor.
Microsoft's advisory is unambiguous: "Organisations should treat unmanaged SOHO devices used by remote and hybrid employees as a viable attack surface — because for Forest Blizzard, they already are."
If your remote workers are using ISP-supplied routers at home, you are exposed. Full stop. End of Story.
This is where I'd rather focus, because the solution is not complicated — it just requires commitment, an understanding of risk management and the right partner.
At Microsolve, we deploy managed internet connectivity backed by Fortinet next-generation firewalls at every site. Fortinet's FortiGate platform gives us — and by extension, you — the ability to:
This isn't some hypothetical capability from marketing blurb. It's what we do every day for businesses across Sydney, Wollongong, the Central Coast, and Newcastle. A Fortinet-secured network managed by Microsolve doesn't just protect against today's threat — it builds the foundation that makes tomorrow's threat significantly harder to execute.
Swapping your router for a business-grade firewall is the right move, but it's one layer of a broader strategy. Our cybersecurity services include Essential Eight compliance, vCISO advisory, patch management, and multi-factor authentication — all the controls that make your organisation a harder, less attractive target.
We also help you think about your network from a Zero Trust perspective — where no device, user, or connection is implicitly trusted, and every access request is verified. In a world where Russian state intelligence is sitting inside unmanaged routers, Zero Trust isn't a luxury. It's the baseline.
If you manage multiple sites, our managed network solutions give you full visibility, configuration management, proactive firmware patching, and carrier-grade redundancy across your entire environment. We handle the complexity so your team doesn't have to.
I hear the objection. "We're a small business. We're not a government agency. Why would Russian intelligence bother with us?"
They already answered that. The campaign is opportunistic and financially based. Forest Blizzard casts a wide net across thousands of devices, then filters down to the targets with the highest intelligence value. You don't need to be a defence contractor to end up in that net. You just need to be running a vulnerable router — and if you're running whatever your ISP handed you, there's a real chance you already are.
The free router your ISP gave you isn't costing you nothing. It's costing you visibility, control, and potentially your business's data, credentials, and reputation. I've seen the aftermath of network compromises firsthand. It is never cheap. It is never quick. And it is almost always avoidable.
If you want to talk about what a properly secured network looks like for your business, get in touch with the Microsolve team. We'll tell you exactly what you need — and exactly what you don't.