Russian Hackers Exploit SOHO Routers for DNS Hijacking Campaign

The surge in SOHO router compromises reflects a broader shift in cyber‑espionage tactics, where threat actors target the weakest link in the network chain. Unlike corporate firewalls, home routers often run outdated firmware and lack centralized monitoring, making them attractive for groups like Forest Blizzard. By commandeering these devices, the Russian‑linked actors create a sprawling, low‑visibility DNS infrastructure that can silently siphon data from thousands of endpoints, blurring the line between consumer and corporate risk.

Technically, the attackers modify router settings to point DHCP‑assigned devices toward malicious DNS resolvers, effectively inserting themselves between users and the internet. This enables large‑scale DNS hijacking, where legitimate queries are answered with attacker‑controlled IPs. In high‑value scenarios, the group escalates to adversary‑in‑the‑middle (AiTM) attacks, spoofing TLS certificates for services such as Microsoft 365 and redirecting traffic to counterfeit sites. Victims who ignore browser warnings expose emails, credentials, and other sensitive cloud data, amplifying the potential impact of a seemingly peripheral compromise.

Mitigation now centers on moving security controls upstream. Zero‑Trust DNS solutions can block malicious domains and flag anomalous query patterns, while Microsoft Defender for Endpoint adds a layer of network protection. Organizations should also harden identity hygiene—enforcing multi‑factor authentication, conditional access policies, and passwordless logins—to reduce the payoff of credential harvesting. As SOHO devices continue to proliferate, a proactive, layered defense that includes firmware updates, network segmentation, and continuous monitoring will be essential to neutralize this emerging threat vector.