Key Details
State-sponsored hackers linked to Russia's GRU have quietly compromised over 18,000 internet routers to intercept authentication tokens from Microsoft Office users, according to a new report released today.
The campaign, attributed to the threat actor known as Forest Blizzard (also APT28 or Fancy Bear), targeted outdated and unsupported routers from Mikrotik and TP-Link. No malware was installed on the devices.
Microsoft confirmed that more than 200 organizations and 5,000 consumer devices were affected. The peak activity occurred in December 2025.
How the Attack Works
Security researchers at Black Lotus Labs, a division of Lumen Technologies, discovered that the hackers exploited known vulnerabilities in end-of-life routers to modify their DNS settings. Victims' internet traffic was then redirected through malicious DNS servers controlled by the attackers.
"The GRU hackers did not need to install any malware on the routers," said Ryan English, a security engineer at Black Lotus Labs. "Instead, they used known flaws to change the DNS configuration, allowing them to intercept OAuth tokens transmitted after users logged into Microsoft Office services."
Once a user authenticated, their session token was silently harvested, giving the attackers persistent access without triggering alarms. The technique allowed the hackers to propagate malicious DNS settings across entire local networks.
Background
Forest Blizzard is a known Russian military intelligence unit operating under the GRU. The group gained notoriety in 2016 for hacking the Democratic National Committee and Hillary Clinton's campaign as part of an effort to influence the U.S. presidential election.
Lumen's report indicates the hackers primarily targeted government agencies, including ministries of foreign affairs and law enforcement, as well as third-party email providers. The UK's National Cyber Security Centre (NCSC) also issued an advisory detailing similar Russian router compromise tactics.
"DNS hijacking is a stealthy method because it exploits a foundational internet service," English explained. "Users and organizations rarely monitor DNS integrity, making it an ideal vector for espionage."
What This Means
This attack underscores the vulnerability of older networking hardware that remains in use despite being unsupported. Organizations relying on outdated routers are at risk of silent credential theft without any malware signature to detect.
Security experts urge immediate action: update router firmware, disable remote administration, and implement DNS security measures such as DNSSEC or encrypted DNS. Microsoft advises using modern authentication methods like passwordless sign-in and conditional access policies.
"This is a wake-up call for enterprises and home users alike," English said. "A single compromised router can expose an entire organization's authentication infrastructure to a nation-state adversary."
The widespread nature of the attack—spanning 18,000 routers globally—highlights the need for coordinated international defense against state-sponsored cyber espionage campaigns.