Russian Military Intelligence Uses Router Hacks to Steal Microsoft Office Tokens from 18,000 Networks
Key Takeaways
- ▸Russian GRU-linked APT28 (Forest Blizzard) compromised 18,000+ routers by exploiting DNS vulnerabilities to intercept Microsoft Office authentication tokens
- ▸Attack targeted over 200 organizations and 5,000 consumer devices, primarily government agencies and email providers, without deploying any malware
- ▸Hackers bypassed multi-factor authentication by intercepting OAuth tokens after successful login, gaining direct account access without credential phishing
Summary
Russian military intelligence hackers linked to the GRU's APT28 (Forest Blizzard) have been conducting a large-scale espionage campaign exploiting known vulnerabilities in older routers to steal authentication tokens from Microsoft Office users. The attackers compromised more than 18,000 Internet routers—primarily outdated Mikrotik and TP-Link devices—by modifying their DNS settings to redirect traffic through attacker-controlled servers. Microsoft identified over 200 organizations and 5,000 consumer devices affected by the campaign, which peaked in December 2025.
Instead of deploying malware, the Russian hackers used a sophisticated but low-tech approach: they reconfigured the routers' DNS settings and intercepted OAuth authentication tokens transmitted after users logged in with multi-factor authentication. This allowed attackers to gain direct access to victim accounts without phishing credentials or one-time codes. The campaign primarily targeted government agencies including foreign ministries, law enforcement, and third-party email providers. Security researchers at Black Lotus Labs noted the attackers exploited end-of-life routers that were largely unpatched and unsupported, highlighting the risks posed by legacy devices on enterprise networks.
- Vulnerable SOHO routers from Mikrotik and TP-Link were exploited, underscoring risks of unpatched legacy devices in enterprise and government networks
Editorial Opinion
This campaign exemplifies a critical blind spot in cybersecurity: while organizations invest heavily in endpoint protection and advanced threat detection, legacy infrastructure like older routers remain dangerously neglected. The attackers' elegant simplicity—using DNS hijacking rather than malware—demonstrates that sophisticated state-sponsored hacking doesn't always require complex tools; it requires exploiting organizational gaps in asset management and patch discipline. The fact that this attack bypassed multi-factor authentication by intercepting tokens post-authentication should prompt an urgent reassessment of network security assumptions and the necessity of retiring or rigorously securing end-of-life devices.
