Threat Insight
Russian Intelligence Targets SOHO Routers
The Russian GRU threat actor known as Forest Blizzard, has conducted a large-scale cyber espionage campaign by targeting small office and home office (SOHO) routers, to conduct adversary-in-the-middle (AitM) attacks.
The threat actor targeted unprotected routers and manipulates their DNS settings so that traffic to certain domains gets redirected to an AitM site, where victims are lured to enter their credentials into a fake login page that stores the credentials and then redirects them to the real site, using the same credentials.
This campaign uses a well-known technique to harvest credentials and session tokens via an AitM site. The novel part is that instead of using phishing links to lure the victim to visit the fraudulent site, they manipulate DNS records to direct them to the AitM site. This type of attack can be especially powerful against people working from home, with a private home router.
This is not the first time sophisticated threat actors have focused on routers in their cyber espionage campaigns. Truesec has previously reported how both Russian and Chinese threat actors have targeted routers.
Recommended Actions
What This Means
This is a network architecture issue in the remote work model. If remote access depends on unmanaged or weakly managed edge devices, attackers gain a path into identity flows and business traffic without touching the endpoint first. Leadership should view this as a risk in the digital workplace architecture and in the trust model for remote work.
MITRE ATT&CK Connection
ATT&CK pattern: This attack stands out through adversary-in-the-middle activity from compromised routers. The attacker intercepts traffic, captures credentials or sessions, and abuses normal authentication flows without needing to compromise the endpoint first.
Architectural weak point: The remote work model often trusts home routers and other edge devices that the organization does not manage well enough. That means identity and network trust depend on infrastructure outside normal enterprise control.
NIST CSF
Identify: Asset Management (ID.AM): Know which routers, edge devices, DNS paths, and home office setups influence access to critical services.
Protect: Platform Security (PR.PS): Harden remote access paths, edge devices, and supporting network services.
Identity Management, Authentication, and Access Control (PR.AA): Reduce trust in unmanaged networks through stronger access controls such as VPN and MFA.
Detect: Continuous Monitoring (DE.CM) and Adverse Event Analysis (DE.AE): Look for unusual authentication patterns and signs of traffic interception.
Respond: Incident Management (RS.MA): Contain affected users, devices, and network paths fast.
Recover: Incident Recovery Plan Execution (RC.RP): Restore trusted access after the affected paths are contained.
What To Do
- Treat routers and network edge devices as part of the enterprise attack surface.
- Set clear architectural rules for home offices, remote access, DNS control, device hardening, and support responsibilities.
- Reduce dependence on unmanaged home networking for access to sensitive services.
- Use stronger controls such as VPN, MFA, centralized DNS, traffic filtering, secure web access, and managed connectivity where risk is high.
- Review how you update, monitor, and replace routers and other network or IoT devices used in remote work settings.
- Ensure policies cover both corporate devices and personal devices that influence business traffic.
Stay ahead with cyber insights
Newsletter
Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.
Your current browser privacy settings may be preventing this form from loading properly. To continue, please allow cookies/tracking for this site or temporarily disable strict privacy protection, then refresh the page.
If you’re still experiencing issues, please contact us at hello@truesec.com