Russian Military Hackers Hijack 18,000+ Routers in Stealth Token Theft Campaign

Breaking: Russian GRU Hackers Exploit Old Routers to Steal Microsoft Office Tokens

Security experts today revealed a massive espionage campaign by Russia's GRU military intelligence unit, targeting over 18,000 internet routers to harvest authentication tokens from Microsoft Office users without deploying any malware. The operation, attributed to the threat actor known as Forest Blizzard (also APT28 or Fancy Bear), affected more than 200 organizations and 5,000 consumer devices, according to Microsoft.

Researchers at Black Lotus Labs, a division of Lumen Technologies, identified that at its peak in December 2025, the hackers exploited known vulnerabilities in end-of-life routers — mainly older Mikrotik and TP-Link devices marketed to small offices and home users. These routers were compromised to redirect DNS queries to attacker-controlled servers, enabling silent token theft.

"This is a remarkably simple but highly effective attack — no malware, no complex exploits," said Ryan English, Security Engineer at Black Lotus Labs. "They just modified DNS settings on unsupported routers and caught tokens as they flowed through."

How the Attack Worked

The hackers changed the Domain Name System (DNS) settings on compromised routers, pointing them to malicious servers. DNS normally translates web addresses into IP addresses; hijacking it allows attackers to reroute users to fake login pages or intercept authentication data.

By altering DNS records at the router level, Forest Blizzard could intercept OAuth tokens — credentials that prove a user is already authenticated — from any device connected to the local network. The tokens were then used to access Microsoft Office accounts and potentially other cloud services.

• Targeted routers: Mainly unsupported or outdated Mikrotik and TP-Link models (SOHO devices).
• Method: Exploited known flaws without installing malware; changed DNS settings remotely.
• Scale: Over 18,000 routers at peak, affecting government ministries, law enforcement, and email providers.

Background: Forest Blizzard and Russian Cyber Espionage

Forest Blizzard is a well-known Russian state-backed group linked to the General Staff Main Intelligence Directorate (GRU). They are infamous for hacking the Democratic National Committee and Hillary Clinton’s campaign during the 2016 U.S. presidential election.

This latest campaign reflects a shift toward stealthy, low-cost methods: no malware, no complex persistence mechanisms. Instead, they leverage outdated infrastructure that organizations and individuals neglect to secure.

The UK’s National Cyber Security Centre (NCSC) issued an advisory today, warning that Russian cyber actors have been increasingly compromising routers worldwide. “Hijacking DNS at the router level allows attackers to silently intercept authentication tokens without touching endpoints,” the NCSC stated.

What This Means

This attack demonstrates that even basic, unpatched network devices can become powerful espionage tools. For organizations, it highlights the critical need to update or retire legacy routers and to monitor DNS settings for unauthorized changes.

Consumers using older routers — especially Mikrotik or TP-Link models more than a few years old — should check for firmware updates or replace the device. Companies must treat router security as a priority, not an afterthought.

“This campaign is a wake-up call that the weakest link is often the network infrastructure itself,” added English. “Attackers are getting creative with low-tech hacks because they work.”

Microsoft has shared indicators of compromise and recommended enabling multifactor authentication to mitigate token theft. Organizations should also review OAuth consent grants and enforce conditional access policies. For more details, refer to the Background section above or the attack mechanics.