Introduction: A Stealthy Token Theft Campaign
Security researchers have uncovered a large-scale espionage operation linked to Russia's military intelligence, targeting outdated internet routers to silently harvest authentication tokens from Microsoft Office users. The campaign, which peaked in December 2025, compromised over 18,000 routers globally and affected more than 200 organizations and 5,000 consumer devices, according to Microsoft and Black Lotus Labs, the security division of internet backbone provider Lumen.
Unlike typical cyberattacks that rely on malware or malicious code, this operation exploited known vulnerabilities in aging routers—primarily MikroTik and TP-Link devices marketed to small offices and home offices (SOHO). By hijacking DNS settings, the attackers redirected traffic to their own servers, enabling them to steal OAuth authentication tokens that grant access to Microsoft Office accounts.
The Attackers: Forest Blizzard / APT28 / Fancy Bear
The threat actor behind this campaign, tracked as Forest Blizzard (also known as APT28 and Fancy Bear), is attributed to the military intelligence units of Russia's General Staff Main Intelligence Directorate (GRU). This group gained notoriety in 2016 for hacking the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee during attempts to interfere with the U.S. presidential election.
In this latest operation, the hackers primarily targeted government agencies—including ministries of foreign affairs, law enforcement bodies, and third-party email providers—in a bid to intercept sensitive communications and credentials.
How the DNS Hijacking Worked
Vulnerable Routers as Entry Points
The attackers focused on end-of-life routers or devices that were far behind on security updates. By leveraging known flaws in the firmware, they could modify the routers' Domain Name System (DNS) settings without installing any malware. This approach made detection extremely difficult.
Black Lotus Labs security engineer Ryan English explained that the hackers reconfigured compromised routers to point to DNS servers under their control—a handful of virtual private servers (VPS). Once changed, all users on the local network would unknowingly use these malicious DNS servers. As described below, this allowed the attackers to intercept OAuth authentication tokens transmitted by Microsoft Office applications.
Intercepting OAuth Tokens
OAuth tokens are generated after a user successfully logs into a service like Microsoft Office. They are then used to grant ongoing access without requiring repeated passwords. In a DNS hijacking attack, when a user's device attempts to reach legitimate Microsoft servers, the malicious DNS directs the request to a fake server mimicking Microsoft's authentication endpoint. The victim's credentials and token are captured, giving the attackers persistent access to Office accounts—including emails, documents, and calendars.
The U.K.'s National Cyber Security Centre (NCSC) issued a joint advisory detailing how Russian cyber actors have been compromising routers for such purposes. The advisory noted that DNS is the service that translates human-readable domain names (like office.com) into IP addresses. By interfering with this process, bad actors can covertly redirect users to malicious sites.
Scale of the Operation
At the peak of the campaign in December 2025, Forest Blizzard's surveillance net ensnared more than 18,000 routers worldwide. Microsoft identified over 200 organizations and 5,000 consumer devices caught in the network. The vast majority of routers were unsupported or obsolete models from MikroTik and TP-Link—devices often forgotten by their owners after initial setup.
The attackers did not need to install any malicious code on the routers; they simply used default credentials or known vulnerabilities to change DNS settings. This made the attack exceptionally low-cost and difficult to trace.
Recommendations for Protection
To mitigate such attacks, security experts recommend the following steps:
- Update router firmware regularly or replace end-of-life devices with newer models that receive security patches.
- Change default administrator passwords on all network equipment.
- Disable remote management if not absolutely necessary.
- Monitor DNS settings for unauthorized changes using network security tools.
- Use multi-factor authentication (MFA) on Microsoft accounts to add an extra layer of security even if tokens are stolen.
Organizations should also audit their network infrastructure for any SOHO routers that might be exposed to the internet, as these are prime targets for state-sponsored actors.
Conclusion
This campaign highlights the risks posed by outdated network devices and the sophistication of state-backed hacking groups. By exploiting simple configuration weaknesses, Russian GRU hackers managed to build a vast spying network that siphoned authentication tokens from thousands of victims without deploying malware. As the NCSC and industry partners like Lumen and Microsoft continue to track these activities, users and organizations must remain vigilant in securing their routers—the very gateways to the internet.