Joint advisory on Russian GRU exploiting vulnerable routers to steal sensitive information – Canadian Centre for Cyber Security
Summary
The Canadian Centre for Cyber Security, together with the FBI, NSA and international partners, has issued a joint advisory warning that Russian GRU actors have been exploiting vulnerable small-office/home-office (SOHO) routers worldwide. The campaign focused on compromising edge routers to perform DNS hijacking and intercept sensitive military, government and critical infrastructure information. International law enforcement recently disrupted a GRU network of compromised routers used in these operations.
The advisory urges device owners and network defenders to reduce the attack surface on edge devices by taking immediate remediation actions: upgrade end-of-support devices, install the latest firmware, change default usernames and passwords, and disable remote management from the Internet.
Key Points
- Russian GRU threat actors are exploiting vulnerable SOHO routers to intercept and steal sensitive information via DNS hijacking.
- International partners have disrupted a network of compromised routers used in these operations.
- Primary mitigations: replace end-of-support devices, update firmware, change default credentials, and disable remote management interfaces exposed to the Internet.
- Edge devices are a growing attack vector; unpatched routers can enable broad surveillance and redirection of network traffic.
- The advisory links to further guidance on securing edge devices and a broader Five Eyes series warning about threats to such devices.
Context and Relevance
This advisory is part of an ongoing trend: threat actors increasingly target edge and IoT devices because they are often poorly maintained and privileged within networks. Compromised routers allow attackers to persist, redirect traffic, and capture credentials or sensitive communications without needing to breach internal systems directly. For organisations, government bodies and critical infrastructure operators, securing SOHO and edge devices is now an essential part of cyber defences.
The alert also ties into recent Five Eyes publications raising the alarm on edge-device security, signalling coordinated concern across allied nations and law enforcement.
Why should I read this?
Quick version: if you or your organisation uses small office or home routers, this affects you — pronto. These devices are an easy entry point for nation-state spies who can quietly hijack DNS and siphon off sensitive data. Read the advisory, patch or replace dodgy kit, kill default logins and shut down remote management. It’s low effort for a big security win.
Author style
Punchy: This is high-priority intelligence — don’t skim it. If you manage networks or any edge devices, treat the recommendations as immediate action items rather than background reading.