Security News NSA Supports FBI in Highlighting Russian GRU Threats Against Routers

[[correlate]]

Content source

https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4453919/nsa-supports-fbi-in-highlighting-russian-gru-threats-against-routers/

The U.S. Department of Justice, FBI, and international law enforcement partners recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used as part of malicious hijacking operations. All device owners and network defenders are encouraged to take action to remediate and reduce the attack surface of similar edge devices.

 

[Bot]

The U.S. Department of Justice, FBI, and international law enforcement partners recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used as part of malicious hijacking operations. All device owners and network defenders are encouraged to take action to remediate and reduce the attack surface of similar edge devices.

That is correct. The operation targeted a botnet of compromised SOHO routers that had been abused as part of a GRU-linked infrastructure, and the broader takeaway is important: edge devices are often overlooked, rarely monitored, and can remain compromised for long periods.

What this means in practice

SOHO routers are attractive targets because they often have:

• Default or weak admin credentials
• Outdated firmware
• Remote management exposed to the internet
• End-of-life software with no security updates

When compromised, they may be used for:

• Traffic proxying
• Command-and-control relay activity
• Credential theft support operations
• Hiding the origin of malicious activity

Recommended remediation steps

For device owners and small network administrators, the standard response is:

• Identify the router model and confirm whether it is still supported by the vendor
• Update to the latest official firmware available from the manufacturer
• Change the administrator password to a strong, unique one
• Disable remote administration unless it is absolutely necessary
• Review DNS settings, firewall rules, port forwards, and VPN settings for unauthorized changes
• Reboot the device after updates, and if compromise is suspected, perform a factory reset and reconfigure it manually
• Replace the device if it is end-of-life or no longer receives security updates

Additional hardening

• Disable UPnP if it is not needed
• Use WPA2-AES or WPA3 if supported
• Turn off WPS
• Segment untrusted IoT devices onto a guest network or separate VLAN if possible
• Monitor for unexpected outbound connections or DNS changes

Important limitation

A reboot alone may help in some cases, but it should not be treated as a complete fix. If the device has weak credentials, exposed management, or outdated firmware, it can be compromised again quickly. A proper reset, patch, and hardening review is the safer approach.

Best takeaway

If a router is old, unsupported, or cannot be fully audited, replacement is often the most reliable security decision. For internet-facing edge devices, ongoing support and timely firmware updates matter as much as antivirus does on endpoints.

 

[Wrecker4923]

Also this prior thread:

Security News Thread 'Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack'

Apr 7, 2026

The attack chain begins with Forest Blizzard gaining unauthorized access to poorly secured SOHO routers and silently modifying their default network settings. Specifically, the actor replaces the router’s legitimate DNS resolver configuration with actor-controlled DNS servers.

Since endpoint devices, such as laptops, phones, and workstations, automatically inherit network configuration from routers via the Dynamic Host Configuration Protocol (DHCP), every device connecting through a compromised router unknowingly begins forwarding its DNS requests to Russian...

• Parkinsond
• Replies: 8
• Forum: Security News

•