Stealthy Russian Cyber Espionage Campaign Targets Outdated Routers to Steal Microsoft Authentication Tokens
Overview of the Attack
Security researchers have uncovered a sophisticated espionage campaign linked to Russia's military intelligence that exploits vulnerabilities in aging internet routers to silently harvest authentication tokens from Microsoft Office users. The operation, attributed to the threat actor known as Forest Blizzard—also referred to as APT28 or Fancy Bear—allowed state-sponsored hackers to intercept login credentials from over 18,000 networks without deploying any malware on targeted devices.
Campaign Details and Impact
Microsoft revealed in a blog post that more than 200 organizations and 5,000 consumer devices were caught in this covert spying network. The attackers primarily focused on government entities, including ministries of foreign affairs, law enforcement agencies, and third-party email providers. At its peak in December 2025, the operation compromised a vast array of internet routers—mostly outdated or unsupported models that had fallen behind on security patches.
How Routers Were Compromised
According to a report from Black Lotus Labs, the security division of internet backbone provider Lumen, the hackers did not need to install malicious software on the affected routers. Instead, they leveraged known vulnerabilities in older Mikrotik and TP-Link devices commonly used in small office and home office (SOHO) environments. By altering the Domain Name System (DNS) settings on these routers, the attackers redirected network traffic to servers under their control.
The UK's National Cyber Security Centre (NCSC) issued a separate advisory detailing how Russian cyber actors have been compromising routers. DNS hijacking, as this technique is known, allows attackers to intercept requests for legitimate websites and steer users to malicious sites designed to steal login credentials or other sensitive information.
Harvesting OAuth Tokens
Ryan English, a security engineer at Black Lotus Labs, explained that the compromised routers were reconfigured to use DNS servers pointing to a handful of virtual private servers owned by the attackers. Once the DNS settings were propagated to all users on the local network, the hackers could intercept any OAuth authentication tokens transmitted by those users. These tokens, which are normally exchanged after a successful login, grant ongoing access to services like Microsoft Office without requiring repeated password entry.
Because OAuth tokens are typically transmitted in the clear over HTTP—especially on older or misconfigured networks—the attackers could capture them without triggering alarms. This gave them persistent, unauthorized access to email, documents, and other sensitive data across numerous organizations. The stealthy nature of the attack meant that victims often had no indication their accounts had been compromised.
Attribution to Russian Intelligence
Forest Blizzard, also known as APT28 and Fancy Bear, is widely attributed to the military intelligence units within Russia's General Staff Main Intelligence Directorate (GRU). The group gained notoriety for its role in the 2016 interference in the U.S. presidential election, compromising the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee. This latest campaign demonstrates a continued focus on espionage and information gathering.
Technical Analysis: DNS Hijacking at Scale
The attack relied on the exploitation of known vulnerabilities in outdated router firmware. Many of the targeted devices were end-of-life models that no longer received security updates, making them easy prey. The attackers did not need to develop custom exploits; they simply used existing public tools and techniques to modify router configurations remotely.
Once the routers were under their control, the hackers set up a global infrastructure of malicious DNS servers. These servers responded to legitimate-looking queries by returning IP addresses for phishing pages that mimicked Microsoft's authentication portals. Users who clicked on links in emails or web pages were silently redirected to these fake pages, where their login attempts were captured and relayed to the attackers.
The operation was remarkably efficient: from a single compromised router, the hackers could affect dozens or even hundreds of users on the same local network, multiplying the impact exponentially. Black Lotus Labs estimates that over 18,000 routers were co-opted at the peak of the campaign, potentially affecting hundreds of thousands of users.
Defense Recommendations for Organizations
In response to the threat, Microsoft and the NCSC have issued detailed guidance for organizations to protect themselves. Key recommendations include:
- Update router firmware regularly, especially for SOHO devices that may be overlooked in larger networks.
- Replace end-of-life routers with models that still receive security patches.
- Monitor DNS settings for unauthorized changes, as this is a telltale sign of hijacking.
- Implement strong authentication methods, such as multi-factor authentication (MFA), to reduce reliance on OAuth tokens.
- Use encrypted DNS (DNS over HTTPS or DNS over TLS) to prevent tampering.
- Conduct regular security audits of network infrastructure and patch known vulnerabilities promptly.
Additionally, organizations should consider deploying network segmentation to limit the blast radius of a compromised router. For consumers, ensuring that home routers have the latest firmware and changing default administrator credentials can go a long way toward preventing similar attacks.
NCSC Advisory on Russian Cyber Activity
The UK's National Cyber Security Centre has published a detailed advisory on how Russian cyber actors compromise routers. The advisory highlights the widespread use of DNS hijacking as a preferred method for intelligence gathering and recommends that network administrators take immediate steps to secure their infrastructure.
Conclusion
The Forest Blizzard campaign underscores the persistent threat posed by state-sponsored hacking groups and their ability to exploit simple, low-tech vulnerabilities for high-impact espionage. By targeting outdated routers and leveraging DNS hijacking, the attackers were able to harvest authentication tokens on a massive scale—all without needing to break into individual computers. This operation serves as a stark reminder for organizations and individuals alike to keep their network hardware up to date and to adopt robust security practices to guard against stealthy token theft.
Related Articles
- Defending the Software Supply Chain: A Practical Guide to Detecting Watering Hole Attacks with AI-Powered EDR
- Inside the Fall of Two Ransomware Negotiators: 10 Key Facts About the BlackCat Case
- Spirit Airlines Ceases Operations: Key Questions Answered
- Securing vSphere Against BRICKSTORM: Essential Defense Strategies
- The Bizarre Case of a DDoS Protector Turned Attacker: Q&A on the Brazilian ISP Botnet Saga
- Checkmarx KICS Docker Hub Breach: Stolen Credentials Lead to Malicious Image Push; Users Urged to Rotate Credentials
- The Hidden Cost of Security Alert Fatigue: Insights from 25 Million Alerts
- Security Roundup: DirtyFrag Linux Exploit, Ubuntu Offline, and DDoS Irony