A sophisticated espionage campaign, attributed to Russian military intelligence hackers, has been exploiting known vulnerabilities in outdated internet routers to steal authentication tokens from Microsoft Office users on a massive scale. Security researchers warn that the operation, which peaked in December 2025, affected over 18,000 networks without the need for any malware installation on targeted devices.

Targeted Networks and Affected Organizations

According to Microsoft's blog post, the threat actor known as Forest Blizzard—also identified as APT28 or Fancy Bear—compromised more than 200 organizations and 5,000 consumer devices. The hackers primarily focused on government agencies, including ministries of foreign affairs, law enforcement bodies, and third-party email providers. The campaign's stealthy nature allowed it to siphon authentication tokens from users across thousands of networks, raising alarm among cybersecurity experts.

Outdated Routers as Entry Points

Black Lotus Labs, the security division of internet backbone provider Lumen, identified that the hackers predominantly targeted older, unsupported routers from MikroTik and TP-Link—devices commonly used in small office/home office (SOHO) environments. These routers were often end-of-life or significantly behind on security patches. By exploiting known flaws, Forest Blizzard modified the Domain Name System (DNS) settings on these routers without installing any malicious software.

The DNS Hijacking Method

The attack relied on a technique called DNS hijacking. Normally, DNS translates user-friendly domain names into IP addresses. The hackers altered the router's DNS settings to point to attacker-controlled DNS servers. This allowed them to redirect users to fraudulent websites that mimicked legitimate login pages, capturing authentication tokens in the process.

Forest Blizzard: A Persistent Threat

Forest Blizzard is attributed to Russia's General Staff Main Intelligence Directorate (GRU). The group is infamous for its 2016 cyber operations against the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee during the U.S. presidential election. Their latest campaign underscores their ongoing capability to conduct large-scale espionage using relatively simple but effective methods.

How OAuth Tokens Were Intercepted

OAuth tokens are digital credentials that allow users to access services like Microsoft Office after a successful login. By hijacking DNS, the attackers could intercept these tokens as they were transmitted over the network. The critical element was that the malicious DNS settings propagated to all users on the local network, meaning one compromised router could expose an entire organization. Unlike typical malware-based attacks, no code execution was needed, making detection more challenging.

Global Response and Advisory from NCSC

The United Kingdom's National Cyber Security Centre (NCSC) issued an advisory detailing how Russian cyber actors have been compromising routers. The advisory highlights the importance of updating router firmware, disabling remote management features, and monitoring DNS traffic for anomalies. Organizations are urged to replace end-of-life devices and enforce robust authentication protocols.

Protecting Against Router-Based Attacks

• Regularly update router firmware to patch known vulnerabilities.
• Change default administrative credentials immediately.
• Disable remote management unless absolutely necessary.
• Monitor DNS traffic for unauthorized redirects.
• Use DNS-over-HTTPS or DNS-over-TLS to encrypt queries.

Broader Implications for Cybersecurity

The campaign demonstrates that even low-tech methods can achieve high-impact results when targeting poorly maintained infrastructure. As organizations accelerate their digital transformation, routers remain a often-neglected attack surface. The incident also highlights the persistence of state-sponsored actors and their willingness to adapt known techniques for mass surveillance.

Key Takeaways for Enterprises

1. Inventory all network devices and enforce lifecycle management policies.
2. Segment networks to limit the blast radius of a compromised router.
3. Implement multi-factor authentication to reduce reliance on OAuth tokens alone.
4. Utilize threat intelligence feeds to stay updated on active campaigns.

Security firm Black Lotus Labs continues to track Forest Blizzard's activities, noting that the group's tactics remain relatively unchanged but highly effective due to the abundance of vulnerable devices. As of early 2025, the hackers have shown no signs of slowing down, making proactive defense essential for all organizations.