Russian Forest Blizzard Hackers Hijack Home Routers for Global DNS Spoofing and Espionage
What Happened — Russian cyber‑espionage group Forest Blizzard has been compromising consumer‑grade home routers worldwide, re‑configuring their DNS settings to redirect traffic through malicious servers. The altered DNS resolves legitimate domains to attacker‑controlled sites, enabling large‑scale traffic interception and data collection.
Why It Matters for TPRM —
- Home routers are often supplied by third‑party manufacturers and managed by ISPs, creating a supply‑chain risk that can extend to corporate networks via remote‑work endpoints.
- DNS hijacking provides a stealthy vector for credential harvesting, malware delivery, and intelligence gathering on corporate users working from home.
- The campaign demonstrates the need for continuous validation of vendor firmware security and secure configuration baselines.
Who Is Affected — Residential broadband customers, ISPs, remote‑workforce users, and any organization whose employees rely on home routers for VPN or cloud access.
Recommended Actions —
- Instruct employees to change default router credentials and apply latest firmware updates.
- Require ISPs and router vendors to provide documented secure‑configuration guides and proof of regular patch cycles.
- Incorporate router security checks into third‑party risk assessments and continuous monitoring programs.
Technical Notes — The attackers exploit default/weak credentials and unpatched firmware vulnerabilities to gain admin access, then modify DNS resolver entries. No specific CVE was disclosed, but the technique aligns with known router firmware flaws. Data exfiltrated includes DNS query logs, visited URLs, and potentially session cookies. Source: HackRead