How Russian GRU Hackers Hijacked Routers to Steal OAuth Tokens: A Technical Breakdown

Overview

In late 2025, security researchers uncovered a sophisticated espionage campaign orchestrated by Forest Blizzard—a threat actor linked to Russia’s GRU military intelligence unit, also known as APT28 or Fancy Bear. Unlike typical malware-driven operations, this attack exploited outdated routers to silently harvest OAuth authentication tokens from Microsoft Office users. By compromising Domain Name System (DNS) settings on vulnerable devices, the hackers intercepted tokens transmitted after successful logins—no malicious code deployed on the routers themselves. Over 18,000 networks and 5,000 consumer devices were ensnared, impacting more than 200 organizations including government ministries, law enforcement, and third-party email providers. This guide dissects the attack vector, explains the technical steps, and offers defensive insights.

Prerequisites

To fully understand this attack, you should be familiar with:

• DNS resolution: How domain names map to IP addresses.
• OAuth 2.0: The token-based authentication framework used by Microsoft Office 365.
• Router administration: Basics of configuring network devices (especially MikroTik RouterOS and TP-Link firmware).
• Common vulnerabilities: Knowledge of CVEs affecting end-of-life (EOL) routers.

Step-by-Step Breakdown of the Attack

1. Identifying Vulnerable Routers

Forest Blizzard scanned the internet for older MikroTik and TP-Link routers, particularly those that had reached their end-of-life or were running outdated firmware. These devices are popular in small office/home office (SOHO) environments. The attackers focused on models with publicly known but unpatched vulnerabilities—no zero-days required.

2. Exploiting Known Vulnerabilities to Modify DNS Settings

Instead of installing malware, the hackers used existing exploits against CVEs (e.g., CVE-2018-14847 for MikroTik) to gain remote access to router administration interfaces. Once inside, they altered the DNS configuration. A typical command on a MikroTik router might look like:

/ip dns set servers=5.5.5.5,6.6.6.6 allow-remote-requests=yes

This directed all DNS queries from the local network to attacker-controlled virtual private servers (VPS).

3. Redirecting DNS Queries to Attacker-Controlled Servers

The hijacked routers forwarded every DNS request—for example, when a user typed login.microsoftonline.com—to the rogue DNS servers. These servers resolved the domain to a malicious IP that mimicked the legitimate Microsoft authentication service. Because DNS is typically trusted, users saw no warning.

4. Intercepting OAuth Authentication Tokens

When a user authenticated to Microsoft Office 365, the OAuth flow generated a token after successful login. This token—a credential proving the user’s identity—was transmitted over HTTP or HTTPS. If the connection used HTTPS, the attackers could not decrypt it directly. However, they leveraged DNS hijacking to serve a fake TLS certificate (e.g., using a domain they controlled) or simply waited for tokens sent over unencrypted channels. In many cases, OAuth tokens are passed as URL fragments or POST parameters; the rogue proxy captured them in transit.

5. Propagating Access Across the Network

Once an OAuth token was stolen, the attackers could use it to access the victim’s Office 365 email, files, and other cloud services—without needing a password. Because the token was valid, they bypassed multi-factor authentication (MFA) if present. They could then pivot to other systems within the same organization, leveraging the token’s permissions to move laterally.

Common Mistakes in Defending Against Such Attacks

• Ignoring router firmware updates: Many organizations treat routers as “set and forget” devices. Failing to apply security patches leaves known vulnerabilities open.
• Using default credentials: If routers are still configured with admin/admin, attackers can log in directly without exploits.
• No DNS monitoring: Organizations often don’t audit DNS queries. Unexpected resolution to unknown IPs is a red flag.
• Assuming HTTPS is sufficient: While HTTPS encrypts data in transit, DNS hijacking can still capture tokens if the attacker serves a fake cert or if the token is sent via insecure methods.
• Neglecting OAuth token lifecycle management: Tokens should have short lifetimes and be tightly scoped. Refresh tokens must be protected.

Summary

Forest Blizzard’s attack was disturbingly low-tech: no malware, no zero-day exploits—just systematic exploitation of end-of-life routers and DNS hijacking. By stealing OAuth tokens, they gained persistent access to Microsoft Office accounts across thousands of networks. Defenders must prioritize router patching, enforce strong credential policies, monitor DNS traffic, and implement token hardening (e.g., use of Azure AD Conditional Access policies, token binding, and short-lived tokens). This incident underscores that even the most advanced adversaries often choose the simplest path.