Russian State Hackers Hijack Aging Routers to Harvest Microsoft Office Tokens

Introduction

In a sophisticated espionage campaign, hackers tied to Russia's military intelligence have exploited known vulnerabilities in outdated internet routers to systematically collect authentication tokens from Microsoft Office users. The operation, which peaked in December 2025, compromised over 18,000 networks without deploying any malicious software, relying instead on a simple but effective technique.

Who Is Behind the Attack?

The threat actor, identified as Forest Blizzard (also known as APT28 or Fancy Bear), is attributed to the Russian General Staff Main Intelligence Directorate (GRU). This group gained notoriety for its 2016 interference in the U.S. presidential election by compromising the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee. The current campaign, however, targets a broad range of organizations, with a focus on government agencies, ministries of foreign affairs, law enforcement bodies, and third-party email providers.

How Did the Hackers Compromise Routers?

No Malware Required

Rather than installing malware, the attackers leveraged known flaws in end-of-life routers—primarily older Mikrotik and TP-Link devices marketed to small offices and home users. These routers were either unsupported or significantly behind on security updates, making them easy targets. By exploiting these vulnerabilities, the hackers gained administrative control over the devices.

DNS Hijacking Explained

Once inside, they altered the Domain Name System (DNS) settings to redirect network traffic. DNS is the internet's phonebook, translating human-readable domain names into IP addresses. Instead of sending users to legitimate servers, the compromised routers pointed to a handful of virtual private servers controlled by the attackers. This allowed the hackers to intercept and steal authentication tokens transmitted after users successfully logged into Microsoft Office services.

Scale and Impact of the Campaign

According to Microsoft's blog post, the campaign ensnared more than 200 organizations and 5,000 consumer devices. Meanwhile, researchers at Black Lotus Labs—the security division of internet backbone provider Lumen—discovered that at its peak, Forest Blizzard's surveillance net captured over 18,000 routers across numerous networks. The ability to propagate malicious DNS settings to all users on a local network meant that any OAuth authentication token transmitted by those users was vulnerable to interception.

Why OAuth Tokens Are Valuable

OAuth tokens act as digital keys, granting persistent access to services like Microsoft Office without requiring repeated logins. By capturing these tokens, the hackers could effectively bypass password protections and gain unauthorized access to emails, documents, and other sensitive data. The simplicity of the attack—no malware, no complex exploits—made it particularly difficult to detect.

Response and Mitigation

The U.K.'s National Cyber Security Centre (NCSC) has issued an advisory detailing how Russian cyber actors have been compromising routers, warning organizations to check for signs of DNS manipulation. Recommended steps include:

• Updating router firmware to the latest version
• Replacing end-of-life or unsupported routers
• Monitoring DNS settings for unauthorized changes
• Implementing multi-factor authentication to reduce reliance on tokens

Both Microsoft and Lumen emphasize the importance of maintaining up-to-date network equipment and using secure authentication methods to defend against such attacks.

Conclusion

This campaign highlights the persistent threat posed by state-sponsored hackers who exploit even the simplest vulnerabilities—outdated routers and unprotected DNS settings—with devastating effect. Organizations must prioritize network hygiene and adopt robust security practices to guard against silent, large-scale credential theft.