In a sophisticated cyber espionage campaign, Russian hackers associated with the GRU (Russia's military intelligence) have been exploiting known vulnerabilities in outdated home and small office routers to steal Microsoft Office authentication tokens. This attack, which peaked in December 2025, targeted over 200 organizations and 5,000 consumer devices, according to Microsoft and Lumen's Black Lotus Labs. Below, we answer key questions about this stealthy operation.
Who is the threat actor behind this router hacking campaign?
The group is known by several names: Forest Blizzard, APT28, and Fancy Bear. It is attributed to the Russian General Staff Main Intelligence Directorate (GRU). This group gained notoriety for interfering in the 2016 U.S. presidential election by compromising the Democratic National Committee and Hillary Clinton's campaign. Their latest operation shows they continue to evolve their tactics, focusing on stealing authentication tokens rather than deploying malware.
How did the hackers compromise the routers?
The attackers did not install malware on the routers. Instead, they leveraged known vulnerabilities in older, unsupported models, primarily from Mikrotik and TP-Link. By exploiting these flaws, they modified the routers' Domain Name System (DNS) settings to point to malicious DNS servers under their control. This technique, called DNS hijacking, allowed them to intercept and redirect internet traffic from all devices on the local network without alerting users.
What were they stealing and why is it dangerous?
They targeted OAuth authentication tokens for Microsoft Office services. OAuth tokens are issued after a user successfully logs in and let them access files without re-entering passwords. By intercepting these tokens via DNS hijacking, the hackers could impersonate users and gain unauthorized access to email, documents, and other cloud data. This is particularly dangerous because tokens can remain valid for hours, giving attackers a wide window to move laterally within networks.
How many devices and organizations were affected?
At its peak in December 2025, the surveillance network ensnared over 18,000 internet routers, mostly end-of-life or unpatched devices. Microsoft identified more than 200 organizations and 5,000 consumer devices caught up in the attack. The primary targets were government agencies, including ministries of foreign affairs and law enforcement, as well as third-party email providers. However, any user on a compromised router could have their tokens stolen.
Why were old home/small office routers targeted?
Attackers often choose older, unsupported routers because they no longer receive security updates, making them easy prey. Mikrotik and TP-Link devices popular in the SOHO (Small Office/Home Office) market were the main ones exploited. These routers often have known, unpatched vulnerabilities that can be used to change DNS settings remotely. Compromising a single router can expose an entire local network, as the malicious DNS settings propagate to all connected users.
What can users and organizations do to protect themselves?
The UK National Cyber Security Centre (NCSC) advises regularly updating router firmware, replacing end-of-life devices, and using strong, unique passwords for router administration. Network administrators should monitor for unexpected DNS changes and enable logging. Additionally, organizations can implement conditional access policies and require multi-factor authentication (MFA) to reduce the impact of token theft. Keeping routers patched and segmenting networks can also limit the blast radius of such attacks.