How Russian GRU Hackers Used Old Routers to Steal Microsoft Office Authentication Tokens

Security researchers have uncovered a sophisticated espionage campaign linked to Russia's military intelligence that exploits vulnerabilities in outdated internet routers to harvest authentication tokens from Microsoft Office users. The operation, attributed to the state-backed threat actor known as Forest Blizzard, has affected over 18,000 networks without requiring any malicious software installation on targeted devices.

The Scope of the Attack

Microsoft confirmed in a blog post that more than 200 organizations and 5,000 consumer devices were caught in the stealthy surveillance network. The campaign, active as recently as December 2025, primarily targeted government agencies, including ministries of foreign affairs, law enforcement bodies, and third-party email providers. Researchers at Black Lotus Labs, the security division of internet backbone provider Lumen, identified the peak of the operation when over 18,000 routers were compromised.

Who is Forest Blizzard?

Forest Blizzard, also tracked as APT28 and Fancy Bear, is attributed to Unit 26165 of Russia's General Staff Main Intelligence Directorate (GRU). This group gained notoriety for hacking the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee during the 2016 U.S. presidential election interference. Their latest campaign demonstrates a shift toward leveraging network infrastructure for credential theft.

How the Attack Works

Targeting Outdated Routers

The hackers focused on older, unsupported, or end-of-life routers—particularly MikroTik and TP-Link models marketed to small offices and home offices (SOHO). These devices often lack security updates, making them vulnerable to known exploits. Crucially, the attackers did not deploy malware on the routers themselves. Instead, they exploited known vulnerabilities to modify the routers' Domain Name System (DNS) settings.

DNS Hijacking Explained

DNS is the system that translates human-readable website names into numerical IP addresses. In a DNS hijacking attack, the adversary alters this resolution process to redirect users to malicious servers. According to an advisory from the UK's National Cyber Security Centre (NCSC), Russian cyber actors have been compromising routers to perform such hijacks. Black Lotus Labs security engineer Ryan English explained that the compromised routers were reconfigured to use DNS servers controlled by the attackers, hosted on a set of virtual private servers. This allowed the hackers to propagate malicious DNS settings across the entire local network.

Harvesting OAuth Tokens

Once the DNS settings were redirected, the attackers could intercept OAuth authentication tokens transmitted by users. OAuth tokens are issued after a user successfully logs into a service like Microsoft Office, allowing applications to access data without requiring repeated passwords. By stealing these tokens, the hackers gained persistent access to user accounts—bypassing multi-factor authentication and password protections. The intercepted tokens made it possible to access email, files, and other sensitive information belonging to victims.

Why This Attack is Particularly Dangerous

The attack's stealth lies in its simplicity. No malware was deployed on the routers or user devices, making detection by traditional antivirus software difficult. The modifications to DNS settings could persist even after router reboots, enabling long-term surveillance. Moreover, because the tokens are transmitted after successful login, the victims may not notice any unusual activity until data breaches occur.

Mitigation and Recommendations

Organizations can protect themselves by taking the following steps:

• Replace unsupported or end-of-life routers with models that receive regular security updates.
• Change default router passwords and disable remote management if not required.
• Monitor DNS logs for unusual queries or unexpected redirects.
• Implement conditional access policies that require device compliance before granting OAuth tokens.
• Regularly audit OAuth token usage and revoke suspicious grants.

For home users, ensuring router firmware is up-to-date and using a reputable DNS service (such as Cloudflare or Quad9) can reduce risk. Microsoft has also advised organizations to enable token binding and use hardware security keys to protect against token theft.

Conclusion

The Forest Blizzard campaign underscores how advanced threat actors can exploit simple infrastructure weaknesses to achieve high-impact espionage. By targeting outdated routers and manipulating DNS, they silently siphoned authentication tokens from thousands of networks. As routers in small offices and homes remain neglected, such attacks are likely to become more common. Vigilance in updating network hardware and monitoring traffic is essential to defend against these hidden intrusions.