Russian Military Hackers Hijack 18,000+ Routers in Stealth Token Theft Campaign

By

Breaking: Russian GRU Hackers Exploit Old Routers to Steal Microsoft Office Tokens

Security experts today revealed a massive espionage campaign by Russia's GRU military intelligence unit, targeting over 18,000 internet routers to harvest authentication tokens from Microsoft Office users without deploying any malware. The operation, attributed to the threat actor known as Forest Blizzard (also APT28 or Fancy Bear), affected more than 200 organizations and 5,000 consumer devices, according to Microsoft.

Researchers at Black Lotus Labs, a division of Lumen Technologies, identified that at its peak in December 2025, the hackers exploited known vulnerabilities in end-of-life routers — mainly older Mikrotik and TP-Link devices marketed to small offices and home users. These routers were compromised to redirect DNS queries to attacker-controlled servers, enabling silent token theft.

"This is a remarkably simple but highly effective attack — no malware, no complex exploits," said Ryan English, Security Engineer at Black Lotus Labs. "They just modified DNS settings on unsupported routers and caught tokens as they flowed through."

How the Attack Worked

The hackers changed the Domain Name System (DNS) settings on compromised routers, pointing them to malicious servers. DNS normally translates web addresses into IP addresses; hijacking it allows attackers to reroute users to fake login pages or intercept authentication data.

By altering DNS records at the router level, Forest Blizzard could intercept OAuth tokens — credentials that prove a user is already authenticated — from any device connected to the local network. The tokens were then used to access Microsoft Office accounts and potentially other cloud services.

• Targeted routers: Mainly unsupported or outdated Mikrotik and TP-Link models (SOHO devices).
• Method: Exploited known flaws without installing malware; changed DNS settings remotely.
• Scale: Over 18,000 routers at peak, affecting government ministries, law enforcement, and email providers.

Background: Forest Blizzard and Russian Cyber Espionage

Forest Blizzard is a well-known Russian state-backed group linked to the General Staff Main Intelligence Directorate (GRU). They are infamous for hacking the Democratic National Committee and Hillary Clinton’s campaign during the 2016 U.S. presidential election.

This latest campaign reflects a shift toward stealthy, low-cost methods: no malware, no complex persistence mechanisms. Instead, they leverage outdated infrastructure that organizations and individuals neglect to secure.

The UK’s National Cyber Security Centre (NCSC) issued an advisory today, warning that Russian cyber actors have been increasingly compromising routers worldwide. “Hijacking DNS at the router level allows attackers to silently intercept authentication tokens without touching endpoints,” the NCSC stated.

What This Means

This attack demonstrates that even basic, unpatched network devices can become powerful espionage tools. For organizations, it highlights the critical need to update or retire legacy routers and to monitor DNS settings for unauthorized changes.

Consumers using older routers — especially Mikrotik or TP-Link models more than a few years old — should check for firmware updates or replace the device. Companies must treat router security as a priority, not an afterthought.

“This campaign is a wake-up call that the weakest link is often the network infrastructure itself,” added English. “Attackers are getting creative with low-tech hacks because they work.”

Microsoft has shared indicators of compromise and recommended enabling multifactor authentication to mitigate token theft. Organizations should also review OAuth consent grants and enforce conditional access policies. For more details, refer to the Background section above or the attack mechanics.

Related Articles

• 18th May – Threat Intelligence Report: Key Questions Answered
• Massive Cyber Security Alert: SMS Blasting, Medical Data Flaws, and Roblox Accounts Under Attack – Over 25 Threats Revealed
• Russia-Linked Hackers Hijack Routers to Steal Microsoft Office Authentication Tokens: Q&A
• Revolutionary Crankless Bicycle Design Breaks 130-Year Cycling Mold
• Weekly Cyber Threat Intelligence: Q&A on Recent Attacks, AI Threats, and Patches
• Braintrust Urges API Key Rotation Following AWS Account Breach
• Weekly Cyber Threat Roundup: May 4 – Medical Device Breach, AI Tool Abuse, and Critical Patches
• How to Defend Against the PAN-OS Captive Portal Zero-Day (CVE-2026-0300)