Threat researchers at Sekoia have documented ongoing campaigns, active since 2023, in which adversaries compromise Milesight cellular IoT routers and repurpose them as infrastructure for large‑volume SMS phishing (smishing). Honeypot telemetry indicates that a subset of these industrial devices is being used as decentralized SMS gateways, complicating detection and blocking by mobile network operators (MNOs) and anti‑spam systems.
Ongoing smishing campaigns abusing Milesight cellular IoT routers
Milesight routers are industrial 3G/4G/5G devices used to connect remote assets such as traffic lights, smart meters, and other IIoT nodes. They support management over SMS, Python scripting, and a web UI. According to Sekoia’s analysis, compromised routers were instructed to send SMS messages containing phishing URLs that redirected victims to credential‑harvesting pages impersonating government services and popular platforms.
Exposure and attack surface: 18,000 internet‑reachable routers
Sekoia’s internet‑wide scan identified over 18,000 accessible Milesight routers, with at least 572 exposing application programming interfaces (APIs) without authentication. Many devices run firmware more than three years out of date, including known vulnerabilities and default configurations that materially increase abuse risk.
Root causes and CVE‑2023‑43261 versus misconfiguration
One plausible entry point is CVE‑2023‑43261, addressed in firmware 35.3.0.7. However, some compromised devices were observed on non‑vulnerable versions, indicating additional vectors: open or misconfigured APIs, weak or default credentials, exposed web interfaces, and legacy SMS/Python modules left enabled. In multiple cases, unauthenticated internet exposure alone appears sufficient for attackers to trigger SMS‑sending functions.
How the smishing chain works: mobile‑only lures and credential theft
Targeting spanned several countries, with the most activity in Sweden, Belgium, and Italy. Messages typically urged recipients to “confirm identity” or log in, then funneled them to phishing pages designed to capture usernames and passwords.
To frustrate analysis, operators deployed JavaScript gating to render content only on mobile devices, disabled right‑click and browser debugging on some pages, and instrumented visits via a Telegram bot (GroozaBot). The actor behind the handle Gro_oza appears to operate in Arabic and French, based on infrastructure artifacts observed by researchers.
Why IoT‑backed smishing is hard to stop at the telecom layer
Using hijacked cellular routers gives attackers decentralized distribution across legitimate SIMs, countries, and carriers. This erodes simple blocklists and volume‑based heuristics that typically flag centralized spam campaigns. In IIoT settings, the impact extends beyond phishing: organizations can face data leakage, lateral compromise of adjacent networks, and direct financial loss from SMS fraud and “pump‑and‑dump” style SMS pumping on their own SIM billing.
These dynamics align with broader industry observations that smishing continues to rise as mobile becomes the primary channel for consumer interaction. Open‑source reporting from entities such as Sekoia, ENISA’s Threat Landscape analyses, and vendor threat reports (e.g., Proofpoint’s State of the Phish) consistently highlight SMS phishing as a fast‑growing social‑engineering vector.
Mitigation: hardening Milesight routers and IIoT environments
Defenders should prioritize configuration hygiene and telecom‑aware monitoring to reduce the likelihood that industrial routers become covert SMS relays. Practical steps include:
- Update firmware to 35.3.0.7 or later and apply any vendor hotfixes to address known issues, including CVE‑2023‑43261.
- Eliminate unauthenticated exposure of APIs and web interfaces; restrict management to VPN or Zero Trust access with MFA.
- Disable or tightly scope SMS‑based administration where possible; enforce rate limiting and geofencing for outbound SMS.
- Replace default accounts, enforce strong password policies, and rotate credentials regularly.
- Monitor SMS volumes and destinations through MNO/billing portals; alert on spikes, anomalous geographies, and unknown prefixes.
- Segment OT/IIoT networks, deny direct internet egress for management planes, and apply strict ACLs at routers and upstream firewalls.
- Audit installed Python scripts and schedulers for unauthorized tasks; institute periodic configuration reviews.
Industrial cellular routers are increasingly attractive to threat actors because they blend compute, programmability, and carrier‑grade SMS capabilities in one device. An accurate asset inventory, aggressive removal of public‑facing interfaces, timely patching, and telecom‑aware monitoring can sharply reduce abuse. Organizations that operationalize these controls will not only curb smishing risk but also limit financial exposure from SMS fraud while strengthening the overall resilience of their IIoT footprint.
