Russian GRU Hackers Exploit Aging Routers to Steal Microsoft Office Authentication Tokens

Introduction

A sophisticated cyberespionage campaign linked to Russia's military intelligence agency has been quietly harvesting authentication tokens from Microsoft Office users by exploiting vulnerabilities in outdated Internet routers. Security researchers warn that this operation, attributed to the threat group known as Forest Blizzard (also APT28 or Fancy Bear), compromised more than 18,000 routers at its peak in December 2025. The attack required no malware on the routers themselves—only the manipulation of DNS settings to intercept credentials.

Russian GRU Hackers Exploit Aging Routers to Steal Microsoft Office Authentication Tokens — Source: krebsonsecurity.com

How the Attack Worked

Forest Blizzard, which is associated with Russia's GRU (General Staff Main Directorate Intelligence), targeted unsupported or end-of-life routers—primarily older MikroTik and TP-Link models popular in small offices and home offices (SOHO). Because these devices no longer receive security patches, known vulnerabilities remain exploitable. The hackers used these flaws to modify the routers' DNS (Domain Name System) configuration, redirecting internet traffic to attacker-controlled servers.

According to a report from Lumen's Black Lotus Labs, the hackers altered the DNS settings to point to a handful of virtual private servers they controlled. Once a user on the local network accessed a legitimate Microsoft Office service, the malicious DNS servers would intercept the OAuth authentication tokens transmitted during login. These tokens, which confirm the user's identity after successful authentication, could then be reused to gain access to email, files, and other cloud resources without needing passwords.

The Role of DNS Hijacking

The attack is a classic example of DNS hijacking. As explained by the UK's National Cyber Security Centre (NCSC), DNS translates user-friendly domain names into IP addresses. By compromising router settings, the hackers could silently reroute users to lookalike sites designed to capture login credentials or intercept tokens. In this case, they did not need to host fake pages—instead, they simply forwarded token requests to their own servers while maintaining the appearance of a normal connection.

Black Lotus Security Engineer Ryan English noted that the attackers propagated their DNS changes to all users connected to the compromised router. This meant that anyone on the network—whether using a laptop, phone, or other device—could have their tokens stolen without any warning or interruption.

Targeting and Scale

Microsoft reported over 200 organizations and 5,000 consumer devices caught in the espionage net. The victims spanned government agencies—including ministries of foreign affairs and law enforcement—as well as third-party email providers. The campaign was notable for its operational simplicity: instead of deploying custom malware, the hackers leveraged existing, unpatched vulnerabilities in consumer-grade hardware. This allowed them to remain stealthy and avoid detection by antivirus software.

At its peak, Forest Blizzard had ensnared more than 18,000 Internet routers, primarily in regions of geopolitical interest to Russia. The attackers also targeted older models because they are less likely to be monitored and lack modern security features.

Defensive Measures

To protect against such attacks, organizations and individuals should:

Replace end-of-life routers with models that receive regular security updates.
Change default passwords and disable remote administration features.
Monitor DNS settings for unauthorized changes.
Implement multi-factor authentication as an additional layer of defense.
Use network monitoring tools to detect unusual DNS traffic patterns.

The NCSC has released advisory guidance specifically for detecting and blocking DNS hijacking attacks. Additionally, organizations should consider segmenting critical systems from Internet-exposed devices.

Conclusion

This campaign highlights the danger of neglected network hardware. By exploiting the weakest link—aging routers—Russian state-sponsored hackers were able to silently collect authentication tokens from thousands of organizations. The attack serves as a stark reminder that even without deploying sophisticated malware, adversaries can achieve espionage goals through simple configuration changes. Regular hardware updates, vigilant network monitoring, and adoption of modern authentication protocols are essential to mitigate such threats.