10 Crucial Facts About Russia's Router Hack to Steal Microsoft Tokens

In a sophisticated campaign that has exposed the vulnerabilities of aging networking equipment, Russian state-backed hackers have been quietly harvesting Microsoft Office authentication tokens from thousands of organizations. By hijacking outdated routers and manipulating Domain Name System (DNS) settings, the threat actor known as Forest Blizzard—linked to Russia's GRU—managed to intercept login tokens without deploying any malicious software. Here are ten essential details about this alarming operation.

1. The Scale of the Attack

At its peak in December 2025, the surveillance network ensnared more than 18,000 routers, affecting over 200 organizations and roughly 5,000 consumer devices. The operation spread across numerous networks, demonstrating the reach and persistence of the attackers. This breadth highlights how a single compromised router can become a gateway for mass data theft.

10 Crucial Facts About Russia's Router Hack to Steal Microsoft Tokens — Source: krebsonsecurity.com

2. The Threat Group Behind It: Forest Blizzard

Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia's General Staff Main Intelligence Directorate (GRU). This group has a long history of cyber espionage, including the high-profile interference in the 2016 U.S. presidential election. Their latest operation shows they continue to adapt and target critical infrastructure.

3. Primary Targets: Governments and Email Providers

The hackers focused on government agencies, particularly ministries of foreign affairs and law enforcement, as well as third-party email providers. These entities often hold sensitive communications and are prime targets for intelligence gathering. By intercepting tokens, the attackers could access official accounts without raising alarms.

4. How the Attack Worked: DNS Hijacking

The attackers exploited known vulnerabilities in older routers to modify DNS settings, redirecting users to malicious servers controlled by Forest Blizzard. When victims typed a legitimate web address, their traffic was silently rerouted to fake sites designed to capture login credentials and authentication tokens. This technique, called DNS hijacking, is both simple and effective.

5. No Malware Required

Remarkably, the GRU hackers did not need to install any malicious code on the targeted routers. Instead, they leveraged pre-existing flaws to change configuration settings. This made the attack stealthier and harder to detect, as traditional antivirus software would find nothing amiss.

6. Vulnerable Devices: End-of-Life Routers

The compromised routers were mostly end-of-life models from manufacturers like Mikrotik and TP-Link, often marketed to small offices and home users (SOHO). These devices no longer receive security patches, making them easy prey. The attack underscores the dangers of using unsupported hardware.

7. Stealing OAuth Authentication Tokens

Once the DNS hijacking was in place, the attackers could intercept OAuth tokens transmitted by users after successful login. These tokens grant access to Microsoft Office accounts, allowing the hackers to impersonate users, read emails, and access documents without needing passwords. The theft occurred entirely in the background.

8. Discovery by Security Researchers

The operation was uncovered by Black Lotus Labs, the security division of internet backbone provider Lumen, and detailed in a joint advisory with Microsoft and the UK's National Cyber Security Centre (NCSC). Their analysis revealed the scale and methodology of the campaign, providing crucial insights for defenders.

9. Historical Context: APT28's Legacy

Forest Blizzard is the same group that compromised the Democratic National Committee (DNC) and Hillary Clinton's campaign in 2016. Their current focus on router-based token theft shows a shift toward more passive, low-noise surveillance, but their capability to disrupt remains high.

10. Mitigation and Recommended Actions

To protect against such attacks, organizations should replace end-of-life routers with supported models and apply security patches promptly. Additionally, monitoring DNS requests for anomalies and using secure DNS services can help detect hijacking. Users should enable multi-factor authentication (MFA) to reduce the impact of token theft. Regular audits of network devices are essential.

The Forest Blizzard campaign serves as a stark reminder that even old, unassuming hardware can be weaponized for sophisticated espionage. By understanding the methods used, organizations can better safeguard their networks and authentication systems. Vigilance and proactive maintenance remain the best defenses against these hidden threats.

Tags: