Threat Actor Forest Blizzard Hijacks SOHO Routers for DNS Hijacking and Man‑in‑the‑Middle Attacks
What Happened — Forest Blizzard, a threat group tied to the Russian military, has been targeting insecure home and small‑office routers, gaining administrative access and re‑configuring DNS settings to route traffic through malicious servers. The compromised devices are then used for large‑scale DNS hijacking and adversary‑in‑the‑middle (AiTM) attacks against downstream users.
Why It Matters for TPRM —
- Third‑party network equipment can become a covert conduit for data interception across multiple client environments.
- Even low‑risk, low‑cost routers can provide attackers with persistent footholds that bypass traditional perimeter defenses.
- Supply‑chain exposure expands the attack surface beyond primary vendors to any organization that relies on unmanaged SOHO hardware.
Who Is Affected — Small‑business firms, remote‑work environments, managed service providers, and any organization that permits employee‑owned or legacy routers on corporate networks.
Recommended Actions — Conduct an inventory of all SOHO/branch routers, enforce strong admin credentials, apply firmware updates, segment IoT/SOHO devices on separate VLANs, and monitor DNS traffic for anomalies.
Technical Notes — Attack vector: exploitation of default/weak credentials and unpatched firmware leading to configuration changes (DNS redirection, TLS interception). No specific CVE disclosed; the threat leverages generic router management flaws. Data types at risk include credentials, internal communications, and any unencrypted traffic. Source: Microsoft Security Blog