SOHO Router Compromise - DNS Hijacking and AiTM Attacks Uncovered
High severity — significant development or major threat actor activity
Basically, hackers are using home routers to spy on people and steal information.
A Russian military-linked group is exploiting vulnerable home routers for DNS hijacking and adversary-in-the-middle attacks. Thousands of devices are affected, raising significant security concerns. Organizations must enhance their defenses against these tactics.
What Happened
Forest Blizzard, a threat actor associated with the Russian military, has been exploiting insecure home and small-office (SOHO) routers since August 2025. By compromising these devices, they modify their settings to redirect Domain Name System (DNS) requests through their own malicious infrastructure. This allows them to collect sensitive data and conduct follow-on attacks, including adversary-in-the-middle (AiTM) operations against targeted domains.
Who's Behind It
The campaign is attributed to Forest Blizzard, also known as STRONTIUM, which primarily serves the intelligence needs of the Russian government. This actor has a history of targeting various sectors, including government, telecommunications, and energy, using sophisticated techniques to gather intelligence.
Tactics & Techniques
Forest Blizzard employs a multi-step attack chain:
- Compromise of SOHO Devices: They gain access to routers and alter their configurations to use actor-controlled DNS resolvers.
- DNS Hijacking: By leveraging the dnsmasq utility, they redirect DNS queries to their servers, allowing them to monitor and collect DNS traffic.
- Adversary-in-the-Middle Attacks: They conduct AiTM attacks on TLS connections, particularly against Microsoft Outlook on the web, enabling them to intercept sensitive information.
Defensive Measures
To mitigate the risks associated with this threat, organizations should:
- Implement Zero Trust DNS to ensure devices only resolve DNS through trusted servers.
- Monitor DNS traffic for anomalies and block known malicious domains.
- Centralize identity management and enforce multifactor authentication (MFA) to protect against credential theft.
- Educate employees about the risks of using home routers in corporate environments.
Conclusion
The exploitation of SOHO routers by Forest Blizzard highlights the vulnerabilities in home network devices. Organizations must take proactive steps to secure these devices and protect sensitive data from adversarial threats. Awareness and robust security practices are essential to defend against such sophisticated attacks.
🔍 How to Check If You're Affected
- 1.Monitor DNS logs for unusual query patterns.
- 2.Check for unauthorized changes in router settings.
- 3.Implement alerts for suspicious outbound DNS traffic.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The use of SOHO devices as attack vectors underscores the need for comprehensive security measures in remote work environments.