Russia's Forest Blizzard Nabs Rafts of Logins Via SOHO Routers

Russian state-sponsored threat actor APT28 (Fancy Bear) is conducting malwareless cyber espionage by targeting SOHO (Small Office/Home Office) routers. The group modifies DNS settings in vulnerable routers to intercept and manipulate network traffic, enabling credential harvesting across global organizations. This technique avoids traditional malware deployment, making detection significantly more difficult. Organizations should immediately audit router configurations, ensure firmware is updated, change default credentials, and implement DNS security mechanisms such as DNSSEC to detect unauthorized DNS changes.

Heard of fileless malware? How about malwareless cyber espionage? Russia's APT28 is spying on global organizations by modifying just one DNS setting in vulnerable routers.

Russian state-sponsored threat actor APT28 (Fancy Bear) is conducting malwareless cyber espionage by targeting SOHO (Small Office/Home Office) routers. The group modifies DNS settings in vulnerable routers to intercept and manipulate network traffic, enabling credential harvesting across global organizations. This technique avoids traditional malware deployment, making detection significantly more difficult. Organizations should immediately audit router configurations, ensure firmware is updated, change default credentials, and implement DNS security mechanisms such as DNSSEC to detect unauthorized DNS changes. Heard of fileless malware? How about malwareless cyber espionage? Russia's APT28 is spying on global organizations by modifying just one DNS setting in vulnerable routers. Heard of fileless malware? How about malwareless cyber espionage? Russia's APT28 is spying on global organizations by modifying just one DNS setting in vulnerable routers.