GRU-Linked Hackers Hijack 18,000 Routers in Massive Token Theft Campaign

Breaking: Massive Router Hijack Campaign Targets Microsoft Tokens

Security researchers have uncovered a widespread espionage campaign by Russia's GRU military intelligence unit that compromised over 18,000 internet routers to stealthily steal authentication tokens from Microsoft Office users. The operation, active since at least December 2025, affected more than 200 organizations and 5,000 consumer devices across the globe.

GRU-Linked Hackers Hijack 18,000 Routers in Massive Token Theft Campaign — Source: krebsonsecurity.com

How the Attack Works

According to a new report from Black Lotus Labs, the security division of internet backbone provider Lumen, the hackers—known as Forest Blizzard or APT28—exploited known vulnerabilities in older, unpatched routers. These devices were mostly end-of-life models from MikroTik and TP-Link, commonly used in small offices and home offices. Notably, no malware was deployed on the routers themselves.

"The GRU hackers modified the DNS settings of the routers to point to their own malicious servers," said Ryan English, a security engineer at Black Lotus Labs. "This allowed them to intercept any OAuth authentication tokens transmitted over the network without triggering alarms."

OAuth tokens are digital keys that allow users to remain logged into services like Microsoft Office without repeatedly entering passwords. By capturing these tokens, the attackers could gain persistent access to victims' accounts—even after passwords were changed.

Scale of the Operation

Microsoft corroborated the findings in a blog post, identifying 200 organizations and 5,000 consumer devices caught in the net. The targets included government ministries of foreign affairs, law enforcement agencies, and third-party email providers. At its peak in December 2025, the surveillance dragnet ensnared routers across more than 18,000 unique networks.

Background: Forest Blizzard's Long History

Forest Blizzard, also tracked as APT28 and Fancy Bear, is attributed to Unit 26165 of Russia's Main Intelligence Directorate (GRU). The group gained notoriety in 2016 for hacking the Democratic National Committee and Hillary Clinton's presidential campaign. Since then, it has been linked to numerous cyberespionage operations targeting governments, militaries, and critical infrastructure.

The current campaign marks a shift in tactics: instead of deploying custom malware, the hackers relied on DNS hijacking through compromised routers. This approach is far harder to detect because it exploits legitimate network infrastructure.

What This Means for Users and Organizations

The attack demonstrates that even without sophisticated malware, state-sponsored hackers can achieve persistent access to sensitive systems. Organizations using outdated or unpatched routers are especially vulnerable. The U.K.'s National Cyber Security Centre (NCSC) has issued an advisory urging all entities to update router firmware, disable remote management where possible, and monitor for unusual DNS traffic.

"This campaign highlights the critical importance of securing network edge devices," said a spokesperson for the NCSC. "Routers are the gateways to your digital infrastructure—if they are compromised, everything behind them is at risk."

Immediate Recommendations

Update router firmware to the latest version, especially for MikroTik and TP-Link devices.
Change default passwords and disable remote administrative access.
Enable logging and review DNS traffic for connections to unknown servers.
Use multi-factor authentication (MFA) to mitigate token theft—though OAuth tokens can bypass MFA if stolen.

Conclusion

This massive and stealthy operation underscores the evolving threat landscape where attackers leverage network infrastructure rather than endpoint malware. With the GRU's proven ability to adapt, organizations must prioritize router security as part of their cyber defense strategy.

This is a breaking story. More details will be added as they become available.

Tags: