Russia's Forest Blizzard Harvests Credentials en Masse Through Compromised SOHO Routers

The Russian state-backed threat group Forest Blizzard (also tracked as APT28 or Fancy Bear) has been exploiting compromised small office/home office (SOHO) routers to conduct large-scale credential-harvesting operations. The group leverages these low-security consumer-grade devices as proxy infrastructure to relay attacks, making attribution harder and enabling persistent access to targeted networks.

SOHO routers are attractive targets because they rarely receive firmware updates, run default credentials, and sit outside enterprise security monitoring. By chaining compromised routers into relay networks, Forest Blizzard can spray login attempts across target organizations while disguising the traffic origin behind legitimate residential IP addresses. The stolen credentials feed further espionage operations aligned with Russian intelligence objectives.

Defenders should ensure SOHO routers run current firmware, disable remote management interfaces, replace default credentials, and monitor for anomalous authentication patterns originating from residential IP blocks.