Key developments
Russia-linked hackers hijack routers for Microsoft tokens
Microsoft said Forest Blizzard, also known as APT28 and Fancy Bear, used known flaws in mostly end-of-life Mikrotik and TP-Link SOHO routers to alter DNS settings and route traffic through attacker-controlled servers. Lumen's Black Lotus Labs said the campaign peaked in December 2025 and touched more than 18,000 routers, while Microsoft said more than 200 organizations and 5,000 consumer devices were caught up. The attackers used the DNS hijack to intercept OAuth tokens after login and MFA, enabling adversary-in-the-middle attacks against Outlook on the web.
Why it matters
It shows a state-backed group can bypass MFA at scale by turning vulnerable routers into token-harvesting infrastructure.
Sources & driving stories
KREBS ON SECURITY · Brian Krebs
Krebs on Security coverageHong Kong expands compelled device access
A March 26 U.S. Consulate alert, cited by Schneier on Security, said Hong Kong authorities changed National Security Law enforcement rules on March 23. Police can now require passwords or other assistance to access phones and laptops, including during airport transit, and refusal is a criminal offense. The revised powers also allow authorities to seize and retain personal devices if they are claimed to be linked to national security offenses.
Why it matters
The change materially broadens state access to encrypted personal data and raises the stakes for device security and travel privacy.
Sources & driving stories
SCHNEIER ON SECURITY · Bruce Schneier
Schneier on Security coverageToronto neighborhood debates AI license-plate cameras
Residents in Toronto's Rosedale neighborhood are debating a subscription-based 'virtual gated community' plan that would fund cameras scanning passing vehicles' license plates. The proposal, floated by security operator Craig Campbell, would charge about 100 residents C$200 a month and use Flock's AI to distinguish resident vehicles from suspicious ones, retain plate data for 30 days, and restrict police access to legal authorization. Critics raised concerns about bias, profiling, retention, and compliance with Canada's privacy law.
Why it matters
It is a concrete example of neighborhood-scale AI surveillance moving from concept to proposed deployment, with explicit privacy and data-retention tradeoffs.
Sources & driving stories
THE GUARDIAN
The Guardian coverageWorth noting
WORTH NOTING
GAO flags AI privacy guidance gaps
The assessment says AI can expose sensitive data in raw datasets and that agencies may lack the tools and resources to apply privacy protections consistently.
WORTH NOTING
Jones Day says hackers accessed client files
The legal-sector breach affected a limited number of dated files tied to 10 client matters and shows continued targeting of sensitive attorney-client data.
Still unclear
OPEN QUESTION
Will Forest Blizzard change tactics again?
The group has previously altered its methods after public reporting, so defenders need to watch for a rapid shift away from DNS hijacking.
OPEN QUESTION
How broadly will Hong Kong enforce compelled decryption?
The practical scope of airport, transit, and device-seizure enforcement will determine how much the rule changes real-world privacy risk.