Introduction
Security researchers have uncovered a widespread espionage campaign conducted by Russia's military intelligence (GRU) that leverages outdated internet routers to silently steal authentication tokens from Microsoft Office users. The operation, which peaked in December 2025, affected over 18,000 networks worldwide without requiring any malicious software installation on the routers themselves. Instead, the attackers exploited known vulnerabilities in aging hardware to redirect user traffic and intercept login credentials.
The Attack Method: DNS Hijacking via Router Flaws
The attackers, believed to be part of the GRU-linked threat group known as Forest Blizzard (also tracked as APT28 or Fancy Bear), focused on older Mikrotik and TP-Link routers commonly used in small offices and home offices (SOHO). These devices were often end-of-life or significantly behind on security patches.
No Malware Needed
Unlike many cyberattacks that rely on installing backdoors or trojans, this campaign used a simpler approach. The hackers modified the Domain Name System (DNS) settings on the compromised routers, redirecting traffic to malicious DNS servers under their control. As the UK's National Cyber Security Centre (NCSC) explains in a recent advisory, DNS hijacking allows attackers to secretly reroute users to fraudulent websites designed to capture login details and other sensitive information.
Intercepting OAuth Tokens
Once the DNS settings were altered, the attackers could intercept OAuth authentication tokens transmitted by users after they successfully logged into Microsoft Office services. These tokens are normally sent after the user authenticates and are used to maintain access without repeatedly entering passwords. By capturing them, the hackers could impersonate legitimate users without needing their actual credentials.
Scale and Targets of the Campaign
Microsoft reported that it identified more than 200 organizations and 5,000 consumer devices caught in this spy network. The campaign primarily targeted government agencies, including ministries of foreign affairs, law enforcement bodies, and third-party email providers. According to Black Lotus Labs, the security division of internet backbone provider Lumen, at the height of its activity in December 2025, the operation ensnared over 18,000 routers.
Geographic and Sectoral Focus
Black Lotus Labs researchers noted that the hackers concentrated on high-value diplomatic and law enforcement targets. The compromised routers were mostly unsupported, end-of-life devices, making them easy prey for attackers exploiting known vulnerabilities. The attackers did not need to install malware on the routers; they simply used existing flaws to change DNS configurations.
The Actor: Forest Blizzard (APT28 / Fancy Bear)
Forest Blizzard is attributed to the military intelligence units within Russia's General Staff Main Intelligence Directorate (GRU). This group has a notorious history, including the compromise of the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee during the 2016 U.S. presidential election. The DNS hijacking technique used in this latest campaign represents a evolution in their tactics—focusing on network infrastructure rather than traditional malware.
Why Routers?
Ryan English, a security engineer at Black Lotus Labs, explained that targeting routers allowed the hackers to propagate malicious DNS settings to all users on the local network. This meant that every device—computers, printers, smartphones—could be redirected to attacker-controlled servers without any action from the users. The intercepted OAuth tokens then provided persistent access to Microsoft Office accounts, enabling long-term espionage.
Mitigation and Recommendations
Both Microsoft and the NCSC have issued guidance for organizations to defend against this type of attack. Key steps include:
- Update router firmware regularly to patch known vulnerabilities.
- Replace end-of-life routers with supported models that receive security updates.
- Monitor DNS settings for unauthorized changes and use secure DNS protocols (e.g., DNSSEC).
- Implement multi-factor authentication (MFA) to reduce the impact of token theft.
- Review OAuth token policies and revoke tokens from unknown sources.
For Individual Users
Consumers should ensure their home routers are updated and consider changing the default administrator credentials. Using a reputable DNS service with built-in security features can also help prevent hijacking. Additionally, enabling MFA on Microsoft accounts adds an extra layer of protection even if tokens are stolen.
Conclusion
The Forest Blizzard campaign demonstrates how state-sponsored hackers can bypass traditional malware defenses by exploiting outdated network gear. By hijacking DNS settings and intercepting authentication tokens, they effectively create a covert surveillance network that spans thousands of organizations. As the NCSC warns, such attacks are likely to continue as long as vulnerable routers remain in use. Organizations must prioritize network hygiene and adopt modern security practices to stay ahead of these evolving threats.