Russia-Linked Hackers Hijack Routers to Steal Microsoft Office Authentication Tokens: Q&A

In a sophisticated cyber espionage campaign, hackers tied to Russia's military intelligence (GRU) have exploited vulnerabilities in outdated internet routers to silently harvest Microsoft Office authentication tokens. This attack, attributed to the threat actor Forest Blizzard (also known as APT28 or Fancy Bear), compromised over 18,000 networks without installing any malware. Instead, the attackers manipulated DNS settings to intercept sensitive tokens. Below, we answer key questions about this operation, its methods, targets, and implications.

What is Forest Blizzard and how did they compromise routers?

Forest Blizzard is a Russian state-sponsored hacking group linked to the GRU's military intelligence units. Also known as APT28 or Fancy Bear, they are infamous for interfering in the 2016 U.S. presidential election by hacking the Hillary Clinton campaign, the DNC, and the DCCC. In this campaign, they targeted older, unsupported internet routers, primarily from Mikrotik and TP-Link, which are common in small offices and home offices. Instead of deploying malware, they exploited known vulnerabilities to modify the routers' DNS settings. This allowed them to redirect web traffic through attacker-controlled DNS servers, intercepting authentication tokens without any code execution on the routers themselves.

Russia-Linked Hackers Hijack Routers to Steal Microsoft Office Authentication Tokens: Q&A — Source: krebsonsecurity.com

How did the DNS hijacking attack work?

The attack relied on DNS hijacking, a technique where attackers interfere with the Domain Name System. Normally, DNS translates human-friendly website names into IP addresses. Forest Blizzard exploited router flaws to change the DNS server settings on compromised devices, pointing them to virtual private servers they controlled. Once a user on the network logged into a Microsoft Office service, the malicious DNS servers would intercept the OAuth authentication token—a credential that typically allows seamless access after initial login. The attackers could then use these tokens to access the user's Office accounts, all without triggering security alerts or requiring additional malware.

What were the scale and impact of the attack?

According to Microsoft and Lumen's Black Lotus Labs, the attack peaked in December 2025 and ensnared more than 18,000 internet routers across over 200 organizations and 5,000 consumer devices. The compromised networks belonged primarily to government agencies, including ministries of foreign affairs, law enforcement bodies, and third-party email providers. The attackers aimed to steal OAuth tokens from Microsoft Office users, which could give them persistent access to email, files, and other sensitive data. Because no malware was installed, the attack was extremely stealthy and difficult to detect through traditional antivirus or endpoint monitoring.

Who were the primary targets of this campaign?

The hackers focused on high-value targets: government entities, particularly ministries of foreign affairs and law enforcement agencies, as well as third-party email service providers. These organizations handle sensitive diplomatic, legal, and communications data. By compromising routers used by employees or partners, the attackers could intercept authentication tokens for Microsoft Office accounts, gaining access to internal communications and documents. The use of SOHO routers made these targets easier to breach, as many of those devices were end-of-life or far behind on security patches.

What are OAuth tokens and why are they valuable to attackers?

OAuth authentication tokens are digital credentials that allow users to access online services—like Microsoft Office—without re-entering passwords. They are typically issued after a user logs in successfully and are used to maintain a session or authorize third-party apps. Because tokens can bypass passwords and multi-factor authentication, they are extremely valuable to attackers. Once stolen, a token can be used to impersonate the user and access their emails, files, and connected services, often for extended periods. Forest Blizzard specifically targeted Microsoft Office tokens, which could grant access to corporate and government accounts containing sensitive information.

How did Microsoft and security researchers respond?

Microsoft published a blog post detailing the campaign, identifying over 200 organizations affected. Black Lotus Labs, a division of Lumen, released a new report describing how the hackers modified DNS settings on routers. The U.K.'s National Cyber Security Centre (NCSC) also issued an advisory warning about Russian cyber actors compromising routers. Security experts emphasized that the attack required no malware on the routers themselves, making it a low-and-slow operation that could evade traditional defenses. Researchers urged organizations to update or replace outdated routers, and to monitor DNS traffic for suspicious changes.

What can organizations do to protect against this type of attack?

To defend against router-based DNS hijacking, organizations should:

Keep routers updated with the latest firmware, and replace end-of-life devices.
Change default passwords and disable remote administration if not needed.
Monitor DNS settings on network devices for unauthorized changes.
Implement network segmentation to limit exposure of sensitive systems.
Use modern authentication methods that tie tokens to specific device or location attributes.
Deploy endpoint detection and response tools that can spot unusual token usage.

Additionally, security teams should review logs from DNS servers and routers periodically, and follow advisories from organizations like NCSC and Microsoft.

Tags: