Overview
A sophisticated cyber espionage campaign linked to Russia's GRU military intelligence has compromised over 18,000 outdated internet routers to silently steal authentication tokens from Microsoft Office users. Security researchers from Black Lotus Labs, a division of Lumen Technologies, revealed that the group—known as Forest Blizzard, APT28, or Fancy Bear—exploited known vulnerabilities in legacy routers without installing any malware on the devices themselves. The attack affected more than 200 organizations and 5,000 consumer devices, according to a blog post by Microsoft. At its peak in December 2025, the operation ensnared a vast network of routers, primarily targeting government ministries, law enforcement agencies, and third-party email providers.
The Attack Method
DNS Hijacking Through Router Compromise
The hackers did not need to deploy malicious software on the targeted routers. Instead, they leveraged known security flaws in older models—mostly MikroTik and TP-Link devices marketed to small offices and home offices (SOHO). By modifying the Domain Name System (DNS) settings on these routers, they redirected DNS queries to servers they controlled. This technique, known as DNS hijacking, allowed the attackers to intercept and manipulate traffic without the users' knowledge. As the UK's National Cyber Security Centre (NCSC) noted in a related advisory, DNS is the system that translates human-readable website names into IP addresses. In a DNS hijacking attack, interference with this process can silently direct users to fraudulent websites designed to capture login credentials or other sensitive data.
Exploiting End-of-Life Routers
Black Lotus Labs reported that the compromised routers were mostly unsupported or end-of-life models, far behind on security updates. Ryan English, a security engineer at Black Lotus Labs, explained that the GRU hackers did not need to install any code on the routers themselves. Instead, they used known vulnerabilities—some of which had been publicly documented for years—to gain access and alter the DNS configuration. Once altered, the routers would point all connected devices to a handful of virtual private servers controlled by the attackers. This enabled the hackers to propagate malicious DNS settings across entire local networks, intercepting OAuth authentication tokens transmitted by any user on those networks. Importantly, these tokens are typically sent after a user has successfully logged in, meaning the attackers could bypass multi-factor authentication and other security measures.
Targets and Scope
According to the report, the primary targets were government agencies, including ministries of foreign affairs and law enforcement bodies, as well as third-party email providers. The campaign also ensnared thousands of consumer devices. Forest Blizzard, attributed to Russia's General Staff Main Intelligence Directorate (GRU), is infamous for its past operations, including the 2016 interference in the U.S. presidential election by compromising the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee. This latest campaign demonstrates a continued focus on intelligence gathering through stealthy, low-cost methods that rely on existing infrastructure weaknesses rather than zero-day exploits.
Implications
The attack highlights a significant risk for organizations using outdated networking hardware. Because the routers themselves were not infected with malware, traditional antimalware solutions would not detect the compromise. The stolen OAuth tokens could allow the attackers to access Microsoft Office 365 accounts, emails, and other cloud services without needing passwords. This method of credential theft is particularly dangerous because it can remain undetected for long periods—user activity may appear normal, and the only sign might be unusual DNS requests. The scale of the operation—affecting over 18,000 routers—indicates a systematic effort to harvest tokens from a wide array of networks.
Response and Recommendations
Microsoft and NCSC Advisories
Microsoft published a detailed analysis of the campaign, identifying the threat actor as Forest Blizzard and providing indicators of compromise. The company urged organizations to review their router configurations and ensure firmware is up to date. The NCSC also released a specific advisory detailing how Russian cyber actors have been compromising routers, emphasizing the importance of changing default passwords, disabling remote management, and monitoring for unauthorized DNS changes. Both entities recommend replacing end-of-life routers with supported models that receive security patches.
Protecting Against Router-Based Attacks
- Update firmware: Always install the latest router firmware from the manufacturer.
- Change default credentials: Use strong, unique passwords for router admin access.
- Disable remote management: Unless absolutely necessary, turn off remote access to router settings.
- Monitor DNS settings: Regularly check that DNS servers are legitimate (e.g., your ISP's or a trusted public DNS like 1.1.1.1).
- Replace old hardware: Retire routers that are no longer supported by the vendor.
Conclusion
The Russian-linked DNS hijacking campaign serves as a stark reminder that even basic internet infrastructure can be weaponized for espionage. By targeting neglected routers, the GRU hackers executed a large-scale token theft operation with minimal expense and risk of detection. Organizations must prioritize the security of their edge devices—often overlooked—to prevent similar attacks. As cyber threats evolve, proactive management of network hardware becomes as critical as protecting endpoints and cloud services.