Breaking News — Hackers linked to Russia's GRU military intelligence have hijacked over 18,000 aging internet routers to silently steal Microsoft Office authentication tokens from thousands of organizations and consumers, security researchers warn today.
The campaign, attributed to the state-backed group known as Forest Blizzard or APT28, used known vulnerabilities in unsupported routers—primarily older Mikrotik and TP-Link devices—to redirect DNS traffic and intercept OAuth tokens without deploying any malware.
Microsoft confirmed in a blog post that the spying net ensnared more than 200 organizations and 5,000 consumer devices. At its peak in December 2025, the operation compromised routers across 18,000 networks globally.
How the Attack Worked
Forest Blizzard altered the Domain Name System (DNS) settings on vulnerable routers to direct users to malicious servers controlled by the hackers. This allowed them to intercept authentication tokens transmitted after users logged into Microsoft Office services.
"The attackers didn't need to install any malicious code on the routers themselves," said Ryan English, a security engineer at Black Lotus Labs, a division of Lumen. "They simply exploited known flaws to change the DNS configuration, and then every user on that network was at risk."
The targeted routers were mostly end-of-life models or devices far behind on security patches. The hackers focused on government agencies, ministries of foreign affairs, law enforcement, and third-party email providers.
Background
Forest Blizzard, also known as APT28 or Fancy Bear, is a notorious cyber espionage group attributed to Russia's Main Intelligence Directorate (GRU). The group gained infamy in 2016 for hacking the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee.
This latest operation represents a shift in tactics: instead of using sophisticated malware, the hackers leveraged simple router vulnerabilities to build a stealthy surveillance network. The UK's National Cyber Security Centre (NCSC) released a new advisory detailing how Russian cyber actors have been compromising routers for similar purposes.
DNS hijacking allows attackers to intercept traffic without the user's knowledge. By controlling the DNS server, they can redirect victims to phishing sites designed to steal login credentials or authentication tokens.
What This Means
The scale of this campaign—affecting tens of thousands of networks—underscores the vulnerability of aging internet infrastructure. Organizations that rely on outdated routers, especially small offices and home offices, are prime targets.
OAuth tokens are particularly valuable because they allow attackers to access email, cloud storage, and other services without requiring passwords. Once stolen, these tokens can be used to impersonate users and move laterally within networks.
"This is a wake-up call for every organization to audit their network equipment and ensure routers are patched or replaced," English warned. "Attackers are increasingly going after the weakest link—and old routers are an open door."
Microsoft and Lumen have released indicators of compromise and recommend that users immediately update router firmware or replace unsupported devices. The NCSC advises checking DNS settings for unauthorized changes.
Key Takeaways
- Over 18,000 routers compromised, mostly Mikrotik and TP-Link devices.
- No malware required—attackers changed DNS settings via known vulnerabilities.
- Targets included government agencies and email providers.
- Peak activity in December 2025; campaign still ongoing.
- Users should update or replace outdated routers immediately.
This is a developing story. Check back for updates.