Published on: 2025-10-01

Intelligence Report: Hackers Exploit Milesight Routers to Send Phishing SMS to European Users – Internet

1. BLUF (Bottom Line Up Front)

The most supported hypothesis is that a threat actor is leveraging a known vulnerability in Milesight routers to conduct a widespread smishing campaign targeting European users. This exploitation is facilitated by the routers’ public API misconfiguration, allowing unauthorized access to SMS functionalities. Confidence level: Moderate. Recommended action includes immediate patching of vulnerable devices and increased monitoring of SMS traffic for signs of malicious activity.

2. Competing Hypotheses

1. **Hypothesis A**: A sophisticated threat actor is exploiting Milesight routers to conduct a targeted smishing campaign, using publicly accessible APIs to send phishing SMS messages to European users. This is part of a broader strategy to compromise personal and financial information by impersonating government and financial institutions.

2. **Hypothesis B**: The exploitation of Milesight routers is opportunistic, carried out by a less sophisticated actor who stumbled upon the vulnerability post-disclosure. The campaign is primarily driven by the ease of access and low cost of execution, rather than a coordinated effort to target specific entities or countries.

Using ACH 2.0, Hypothesis A is better supported due to the structured nature of the campaign, the use of typosquatted URLs, and the specific targeting of countries like Sweden, Italy, and Belgium, which suggests a level of planning and intent beyond opportunistic exploitation.

3. Key Assumptions and Red Flags

– **Assumptions**: It is assumed that the threat actor has the technical capability to exploit the vulnerability and that the routers remain unpatched due to user negligence or lack of awareness.
– **Red Flags**: The lack of specific attribution to a known threat group raises questions about the actor’s identity and motives. The rapid weaponization post-disclosure suggests potential insider knowledge or advanced reconnaissance.
– **Blind Spots**: Limited information on the exact scale of the campaign and the full list of affected entities.

4. Implications and Strategic Risks

The exploitation of these routers poses significant cybersecurity risks, potentially leading to widespread data breaches and financial fraud. The decentralized nature of the attack complicates detection and mitigation efforts. Economically, affected entities may face reputational damage and financial losses. Geopolitically, this could strain relations between affected countries and the router manufacturer if not addressed promptly.

5. Recommendations and Outlook

• **Mitigation**: Urgently patch all vulnerable Milesight routers and conduct security audits to identify other potential vulnerabilities.
• **Monitoring**: Enhance monitoring of SMS traffic for signs of phishing attempts and collaborate with telecom providers for rapid response.
• **Awareness**: Increase awareness among users about the risks of unpatched devices and the importance of regular updates.
• **Projections**:
  – **Best Case**: Rapid patching and awareness efforts lead to a significant reduction in successful phishing attempts.
  – **Worst Case**: Continued exploitation leads to major data breaches and financial losses across multiple sectors.
  – **Most Likely**: Incremental improvements in security posture reduce the impact but do not fully eliminate the threat.

6. Key Individuals and Entities

– **Bipin Jitiya**: Security researcher who disclosed the vulnerability.
– **Gro Oza**: Alleged operator of the Telegram bot linked to the campaign.
– **Sekoia**: French cybersecurity company involved in the investigation.

7. Thematic Tags

national security threats, cybersecurity, counter-terrorism, regional focus