Why Russian Threat Actors are Targeting Internet Routers

Another Russian espionage operation has been uncovered. 

As a recent investigation by global agencies has revealed, the culprit is no rogue cyber crime gang but a sophisticated cyber espionage wing of the GRU – the Russian Military Intelligence. 

The threat actor is Forest Blizzard and the targets are the unsuspecting internet routers in your homes that can be used to spy on you. 

These vulnerable small office/home office (SOHO) routers are of interest to these threat actors, as it enables them to perform Domain Name System (DNS) hijacking, which further down the line is used to harvest credentials.

“By compromising edge devices that are upstream of larger targets, threat actors could take advantage of less closely monitored assets to pivot into enterprise environments,” reads a Microsoft Threat Intelligence blog. 

“We have identified over 200 organisations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure.”

Without hacking into organisations with high security, Russian threat actors are able to compromise the less-securely-guarded home routers to steal credentials linked to enterprise environments. 

Threat profile and attack chain 

This Russian linked threat actor tracked as APT 28 goes by many names – Forest Blizzard, Fancy Bear, the Sednit Gang and Sofacy. 

Forest Blizzard is linked to GRU’s Unit 26165, thereby occupying a chair for itself among the three Russian military intelligence units sanctioned by the UK –  GRU Units 29155, 26165 and 74455.

APT28 and its sub-group tracked as Storm-2754 are known to collect intelligence in support of Russian government foreign policy initiatives. 

The modus operandi here involves tampering with the default network configurations of compromised SOHO devices, such that they use threat actor-controlled DNS resolvers. 

By maliciously re-configuring DNS, thousands of devices now send requests to actor-controlled servers, instead of the official servers requested by the user.  

This way, the Russian group gained total visibility and access to the user’s internet activity, allowing them to either passively observe or actively intercept the traffic when needed.

The group was also found to perform adversary-in-the-middle (AiTM) attacks on transport layer security (TLS) connections against Microsoft Outlook. 

Microsoft Outlook being widely used, AiTM attacks on it enables bad actors to intercept cloud-hosted content, across multiple sectors –  including government, IT, telecommunications and energy. 

“This activity demonstrates how exploited vulnerabilities in widely used network devices can be leveraged by sophisticated hostile actors,” remarks Paul Chichester, Director of Operations at UK’s National Cyber Security Centre (NCSC). 

“We strongly encourage organisations and network defenders to familiarise themselves with the techniques described in the advisory and to follow the mitigation advice.

“The NCSC will continue to expose Russian malicious cyber activity and provide practical guidance to help protect UK networks.”

FBI’s Operation Masquerade 

Many countries around the world have warned civilians of this intrusion. 

Understanding the scale of the compromise, the FBI conducted a court-authorised operation “to harden compromised routers across the United States”.

“Operation Masquerade demonstrates the FBI’s commitment to identifying, exposing and disrupting the Russian government's efforts to compromise American devices, steal sensitive information and target critical infrastructure,” says Assistant Director Brett Leatherman of FBI’s Cyber Division. 

“GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn't enough. 

“We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us. 

“The FBI will continue to use its authorities to identify and impose costs on state-sponsored actors who target the American people.”