How do you protect the cloud when the gatekeeper lives in your office closet? Microsoft says that question is not hypothetical: attackers tied to Russia's GRU military intelligence agency are turning small-office and home-office routers into surveillance pivots by changing their DNS settings — a move Microsoft warns can enable decryption of TLS-protected traffic and let the adversary observe cloud activity at scale.
What Microsoft reported
Microsoft publicly warned that a campaign tied to Russia's GRU is compromising SOHO routers and hijacking their DNS settings. According to the company, that manipulation of DNS resolution is being used to spy on the cloud activities of high-value targets, including organizations in government, information technology, telecommunications and energy.
The company further cautioned that the DNS hijacking in this campaign "helps Russian hackers decrypt TLS traffic," creating the conditions for observation of communications that many assume are protected by encryption.
The immediate picture: targets and method
Microsoft's account identifies two central elements of the campaign: the target device class and the objective. Attackers are focusing on small-office and home-office routers — consumer and branch devices that sit at the network edge — and are modifying DNS settings on those devices. The stated intelligence objective is to collect intelligence on cloud-based activity tied to high-value organizations across several critical sectors.
Why this matters — perspectives to consider
- Technologists: A warning from Microsoft that DNS manipulation is being used to facilitate TLS decryption elevates the seriousness of router compromises. Edge devices that forward DNS queries can become strategic choke points if attackers can change how name resolution occurs, Microsoft says.
- Policymakers: The campaign described by Microsoft implicates sectors of national and economic importance — government, IT, telecommunications and energy. That concentration of targets suggests potential implications for national security and critical infrastructure oversight, according to Microsoft's characterization.
- Users and organizations: For organizations that rely on cloud services, the risk Microsoft outlines is not limited to a single server or account: when adversaries can observe cloud activity via compromised network infrastructure, the scope of potential exposure grows. Microsoft frames the threat as targeting "high-value" entities across multiple sectors.
- Adversaries: Microsoft attributes the campaign to actors tied to Russia's GRU, noting the operational choice to exploit SOHO routers and DNS settings to achieve broader visibility into encrypted cloud traffic.
What to take away
Microsoft's notice compresses a strategic lesson into a technical posture: edge devices matter. When small, widely deployed routers are co-opted to alter DNS resolution, attackers can turn routine network equipment into tools for observing cloud activity — and, Microsoft warns, for facilitating decryption of TLS traffic. The discovery raises immediate questions about device hygiene, supply-chain and firmware security, and the visibility organizations need into how their network edge handles name resolution.
If encryption alone is not sufficient when attackers control upstream DNS behavior, what combination of detection, hardening and policy will close the gap? Microsoft’s warning frames that dilemma as urgent.
https://www.govinfosecurity.com/russian-hackers-hit-soho-routers-in-cyberespionage-campaign-a-31354




