10 Critical Insights Into Russia's Router Hacking Campaign Targeting Microsoft Office Tokens

In a sophisticated espionage operation, hackers linked to Russia's military intelligence have been exploiting outdated routers to intercept authentication tokens from Microsoft Office users. This campaign, uncovered by security researchers, highlights the evolving tactics of state-backed threat actors. Below are ten key points you need to understand about this stealthy attack, from the techniques used to the organizations affected.

1. The Threat Actor: Forest Blizzard, aka APT28

The group behind this campaign is known as Forest Blizzard, also tracked as APT28 and Fancy Bear. Attributed to Russia's General Staff Main Intelligence Directorate (GRU), this group has a history of high-profile cyber intrusions, including the 2016 interference in the U.S. presidential election. In this latest operation, they focused on harvesting OAuth tokens from Microsoft Office users by compromising routers on a massive scale. Their primary targets include government agencies, ministries of foreign affairs, law enforcement, and third-party email providers. The group's persistence and technical sophistication make them a significant threat to global cybersecurity.

2. The Scale: Over 18,000 Routers Compromised

At the peak of the campaign in December 2025, Forest Blizzard's surveillance network ensnared more than 18,000 internet routers. These devices spanned across numerous networks, affecting over 200 organizations and an additional 5,000 consumer devices, according to Microsoft. The sheer number of compromised routers allowed the hackers to cast a wide net for authentication tokens, ultimately exposing a vast number of users to potential credential theft. This scale underscores the attackers' ability to compromise infrastructure at an enterprise level without deploying malware on the victims' endpoints.

3. No Malware Needed: Exploiting Known Vulnerabilities

A key aspect of this attack is that the hackers did not install any malicious software on the targeted routers. Instead, they exploited known vulnerabilities in older, unsupported, or unpatched devices. By leveraging flaws in routers that were past their end-of-life or far behind on security updates, the attackers could modify router configurations without leaving typical malware traces. This approach makes detection especially challenging, as traditional antivirus or endpoint security solutions would not flag any malicious code. The operation relied solely on abusing legitimate administrative features.

4. DNS Hijacking: How Traffic Was Redirected

The core technique used was Domain Name System (DNS) hijacking. The hackers altered the DNS settings on compromised routers to point to malicious DNS servers they controlled. When users tried to visit legitimate websites, their traffic was silently redirected to phishing sites or proxies designed to capture login credentials and authentication tokens. DNS is fundamental to how users navigate the internet; by corrupting it at the router level, the attackers could intercept data from all devices on the local network, including computers, phones, and tablets.

5. Targeting OAuth Authentication Tokens

Once the DNS hijacking was in place, the attackers focused on intercepting OAuth authentication tokens transmitted by Microsoft Office users. OAuth tokens are commonly used for seamless sign-ins across services. After a user successfully logs in, a token is issued to maintain the session. By capturing these tokens, the hackers could impersonate users and gain unauthorized access to their emails, documents, and other cloud services without needing passwords. Importantly, the tokens were grabbed after a legitimate login, making the theft even harder for users to detect.

6. Vulnerable Router Models: Mikrotik and TP-Link

The routers most commonly exploited were older models from Mikrotik and TP-Link, particularly those marketed to small offices and home offices (SOHO). These devices often lack robust automatic update mechanisms and may be running outdated firmware with known security holes. The hackers targeted these models because of their widespread use and the ease with which their vulnerabilities could be exploited. Users who have not updated their router firmware or replaced end-of-life devices are at heightened risk. This highlights the importance of router lifecycle management.

7. Attribution and Historical Context

Security researchers at Lumen's Black Lotus Labs, alongside Microsoft, have attributed this campaign to the Russian GRU. Forest Blizzard is the same group responsible for the 2016 Democratic National Committee hack and other geopolitical cyber operations. The group's techniques have evolved over time, but their focus on espionage and intelligence gathering remains constant. This router hack represents a shift towards compromising network infrastructure rather than individual endpoints, likely as a response to improved endpoint security measures. Understanding their past helps contextualize their current methods.

8. Microsoft's Response and Guidance

Microsoft published a blog post detailing its findings and providing guidance for affected organizations. The company recommended immediate steps such as rotating OAuth tokens, auditing network devices for unauthorized configuration changes, and implementing multifactor authentication (MFA) wherever possible. While MFA could help, if tokens are stolen after authentication, it may not be fully protective. Microsoft also urged administrators to update router firmware, disable remote management if not needed, and monitor DNS query logs for anomalies. The company continues to work with law enforcement to disrupt the campaign.

9. Discovery by Black Lotus Labs

The campaign was discovered by Black Lotus Labs, the security division of internet backbone provider Lumen. Ryan English, a security engineer at Black Lotus Labs, explained that the attackers did not need to install malware on the targeted routers. Instead, they used known vulnerabilities to modify DNS settings. The lab's monitoring systems detected unusual DNS traffic patterns, leading to the identification of attacker-controlled servers. Their analysis revealed that the compromised routers were being used as a proxy network to collect OAuth tokens from thousands of networks simultaneously. This discovery underscores the value of network-level threat detection.

10. Lessons for Small Businesses and Home Users

This attack serves as a wake-up call for small businesses and home users who often rely on older routers. The SOHO market is particularly vulnerable because these devices are less frequently updated and may have weak default passwords. To protect against such threats, users should regularly check for firmware updates, disable unused services, and replace routers that are no longer supported. Additionally, using a trusted DNS service like Cloudflare or Quad9 can help mitigate DNS hijacking. Continuous monitoring of network traffic and employing network segmentation can also limit the impact of a compromised router.

In conclusion, the GRU-linked router hack demonstrates a shift towards infrastructure-level attacks that bypass traditional defenses. By targeting vulnerabilities in outdated routers and exploiting DNS, the attackers were able to harvest OAuth tokens at scale. Organizations and individuals must prioritize device hygiene, apply security patches, and remain vigilant against evolving espionage tactics. Collaboration between cybersecurity firms and government agencies will be crucial in combating such sophisticated threats moving forward.