Russian GRU Hackers Weaponize Routers to Steal Microsoft Authentication Tokens
In a sophisticated cyber espionage campaign, hackers linked to Russia's GRU military intelligence have exploited known vulnerabilities in outdated Internet routers to silently steal authentication tokens from Microsoft Office users. The operation, attributed to the threat actor known as Forest Blizzard (also APT28 or Fancy Bear), did not require any malware deployment. Instead, it used DNS hijacking to intercept OAuth tokens—the digital keys that grant access to cloud services—after users had logged in. At its peak in December 2025, this surveillance network ensnared over 18,000 routers, primarily targeting government agencies, law enforcement, and third-party email providers. Below, we answer key questions about this alarming attack.
What is Forest Blizzard and how does it connect to Russian intelligence?
Forest Blizzard is a state-backed hacking group attributed to Russia's General Staff Main Intelligence Directorate (GRU), specifically its military intelligence units. This group is infamous for its 2016 operations against the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee. Analysts track them as APT28 or Fancy Bear. In this latest campaign, they demonstrated a low-tech but highly effective method: compromising old home and small-office routers to siphon authentication tokens from Microsoft Office users. By exploiting well-known flaws in end-of-life or unpatched devices, they built a covert spying network affecting more than 200 organizations and 5,000 consumer devices.
Which router models were targeted and why?
The attackers focused on older Mikrotik and TP-Link routers marketed to the Small Office/Home Office (SOHO) market. These devices were typically end-of-life or far behind on security updates, making them easy prey. According to Black Lotus Labs at Lumen, the hackers didn't need to install malware; they simply leveraged known vulnerabilities to alter the routers' Domain Name System (DNS) settings. Once compromised, the routers began using DNS servers controlled by the attackers. This allowed the GRU hackers to redirect all users on the local network to malicious sites without any visible signs of compromise. The choice of SOHO routers was strategic: they are widely used in government subcontractors and smaller organizations.
How did the attack work without deploying malware?
Russell English, a security engineer at Black Lotus Labs, explained that the GRU hackers exploited existing vulnerabilities to modify the routers' DNS configuration. They pointed the routers to virtual private servers they controlled. From that point, every device on the local network—when trying to access legitimate websites—was redirected to lookalike malicious pages. Crucially, after a user successfully logged into a Microsoft Office service (like Outlook or SharePoint), the OAuth authentication token was transmitted. The attackers could intercept that token via their DNS servers, gaining persistent access to the user's account and data. No malicious code ever touched the user's computer or the router's firmware.
What were the primary targets?
Microsoft and Lumen's reports indicate that the campaign primarily targeted government agencies, including ministries of foreign affairs and law enforcement bodies. Third-party email providers were also high on the list. Researchers identified more than 200 organizations caught in the net, plus about 5,000 consumer devices. The goal was to harvest OAuth tokens—essentially digital keys that grant access to Microsoft Office 365 and other cloud services. By stealing these tokens, the attackers could read emails, access documents, and maintain persistent access even if passwords were changed. This type of espionage allows long-term intelligence gathering without triggering alarms.
Why are OAuth tokens so dangerous when stolen?
OAuth tokens are used for modern authentication in cloud services like Microsoft Office 365. They are granted after a user logs in and allow continued access without re-entering credentials. Unlike passwords, tokens often have longer validity and can be used to authenticate to multiple services. Once an attacker intercepts a token via DNS hijacking, they can use it to access the victim's email, files, and even impersonate them in business communications. Because the token is issued by Microsoft and accepted automatically, the attacker's activity often looks legitimate. This makes detection difficult and allows for sustained espionage. The stolen tokens effectively bypass multi-factor authentication in some cases.
What is the history of APT28 and why does this matter?
APT28, also known as Fancy Bear and now Forest Blizzard, is one of the most well-known Russian state-sponsored hacking groups. They gained notoriety in 2016 for breaching the Democratic National Committee and other political targets in an attempt to influence the U.S. presidential election. Since then, they have been linked to numerous cyber espionage campaigns against government, military, and media organizations worldwide. This latest router-based attack shows they are adapting to lower-tech methods that are harder to detect. By compromising routers at the network edge, they can intercept web traffic without raising suspicion. It underscores the need for organizations to secure even the most mundane infrastructure.
How can organizations defend against this type of attack?
Protecting against DNS hijacking starts with router security. Organizations should replace end-of-life devices with ones that receive regular firmware updates, or ensure the latest patches are applied. Changing default passwords and disabling remote administration further reduces risk. Using DNSSEC can help verify that DNS responses come from legitimate sources. Network monitoring solutions can detect unusual DNS traffic patterns, such as queries to unknown servers. Additionally, implementing OAuth token binding to specific devices and using short token lifetimes can limit the impact of theft. The UK's National Cyber Security Centre and Microsoft both recommend auditing router configurations and enforcing strict DNS settings.