Russian Actors Hijacking SOHO Routers for Malicious Infrastructure

Cyber Threat Intelligence is flagging a concerning trend: threat actors, specifically Forest Blizzard (linked to Russian military intelligence), are actively compromising small office/home office (SOHO) routers. These compromised devices aren’t just being taken offline; they’re being repurposed. Cyber Threat Intelligence reports that these actors are modifying router settings to integrate them into their own malicious infrastructure, essentially turning everyday internet equipment into tools for further nefarious activities.

The primary techniques being observed involve DNS hijacking and facilitating adversary-in-the-middle (AiTM) attacks. By controlling the DNS resolution on these routers, attackers can redirect users to malicious websites, even if they type in the correct URL. This opens the door wide for credential harvesting, malware delivery, and other devastating follow-on attacks. The fact that these attacks are targeting SOHO devices highlights a common vulnerability: many smaller organizations and home users neglect basic router security, leaving them prime targets.