In a sophisticated cyber espionage campaign, Russian military intelligence hackers have been exploiting vulnerabilities in outdated routers to steal authentication tokens from Microsoft Office 365 users. This stealthy operation, uncovered by security researchers at Lumen's Black Lotus Labs and Microsoft, targeted thousands of networks without deploying a single piece of malware. Here are ten essential facts about this alarming threat.
1. The Threat Actor: Forest Blizzard (APT28)
The hacking group behind this campaign is known as Forest Blizzard, also tracked as APT28 and Fancy Bear. They are linked to the GRU, Russia's military intelligence directorate. This group is infamous for interfering in the 2016 U.S. presidential election by breaching the Hillary Clinton campaign and the Democratic National Committee. Their latest tactic focuses on router compromise to harvest OAuth tokens.
2. No Malware Required for the Attack
A critical aspect of this campaign is that the attackers did not need to install any malicious software on the targeted routers. Instead, they took advantage of known vulnerabilities to modify the routers' DNS settings. This approach made the attacks exceptionally stealthy and difficult to detect, as no suspicious files were left on devices
3. Focus on Older, Unsupported Routers
The campaign primarily targeted end-of-life or heavily outdated routers, especially models from Mikrotik and TP-Link commonly used in small offices and home offices. These devices often lack security patches, making them easy prey. At the peak in December 2025, the attackers compromised over 18,000 routers across the globe.
4. DNS Hijacking as the Core Technique
By altering the routers' domain name system (DNS) settings, the hackers redirected users to malicious servers under their control. DNS normally translates human-friendly web addresses into IP addresses. In this attack, the modified settings sent authentication requests to fake pages designed to capture OAuth tokens, which grant access to Microsoft Office accounts.
5. OAuth Tokens: The Ultimate Prize
OAuth tokens are digital credentials that allow users to access services like Microsoft 365 without repeatedly entering passwords. Because these tokens are transmitted after a successful login, stealing them gives attackers persistent, unauthorized access to email, documents, and other sensitive data. The tokens were harvested en masse across affected networks.
6. Scale of the Surveillance Network
According to Microsoft, the campaign compromised more than 200 organizations and 5,000 consumer devices. Lumen's Black Lotus Labs reported that the network of hijacked routers spanned over 18,000 endpoints. The true scale may be larger, as many victims remain unaware of the stealthy redirections.
7. Primary Targets: Government and Law Enforcement
The attackers specifically aimed at high-value targets, including ministries of foreign affairs, law enforcement agencies, and third-party email providers. These organizations handle sensitive diplomatic and security information, making them prime intelligence gathering nodes for a state-sponsored adversary like Forest Blizzard.
8. How the Attack Propagated Through Networks
Once a single router was compromised, the malicious DNS settings affected all users on that local network. This means that any device connecting through the router—whether a laptop, smartphone, or IoT device—could have its traffic intercepted. The attackers exploited this lateral movement to cast a wide net without targeting individual machines.
9. Detection and Response by Security Experts
Black Lotus Labs discovered the campaign by analyzing DNS traffic anomalies. Microsoft issued a blog post detailing the threat and providing guidance. The UK's National Cyber Security Centre also released an advisory warning about Russian cyber actors compromising routers. Organizations are urged to update or replace outdated routers and audit their DNS configurations.
10. Mitigation Steps for Individuals and Organizations
To defend against such attacks, users should ensure routers are running the latest firmware, disable remote management if unnecessary, and use DNSSEC to secure DNS queries. Organizations should monitor for unauthorized DNS changes and consider implementing multi-factor authentication beyond OAuth tokens. Replacing end-of-life routers with supported models is critical.
This campaign underscores the evolving tactics of state-sponsored hackers who increasingly target network infrastructure rather than individual devices. By hijacking routers and stealing authentication tokens, Russia's GRU-affiliated hackers have built a powerful, low-noise espionage tool. Awareness and proactive security hygiene are the best defenses against such stealthy adversaries.