In a stealthy campaign that targeted over 18,000 networks, Russian-linked hackers exploited aging home and small office routers to siphon Microsoft Office authentication tokens. This Q&A breaks down the operation, the attackers behind it, and what it means for your security.
Who is behind this hacking campaign?
The group responsible is known as Forest Blizzard, also called APT28 or Fancy Bear. They are attributed to the military intelligence units within Russia's General Staff Main Intelligence Directorate (GRU). This group has a notorious history, having compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 during an attempt to interfere with the U.S. presidential election. Their latest operation focused on stealing OAuth authentication tokens from Microsoft Office users, and security researchers at Black Lotus Labs (a division of Lumen) and Microsoft tracked their activities.
How did the hackers compromise the routers?
The attackers did not need to install any malware on the targeted routers. Instead, they exploited known vulnerabilities in older devices—mostly Mikrotik and TP-Link routers marketed to small office/home office (SOHO) users. By leveraging these flaws, they modified the Domain Name System (DNS) settings on the routers to point to DNS servers they controlled. This allowed them to redirect traffic for entire networks without deploying any malicious code, making the attack remarkably simple and stealthy. According to Black Lotus Labs, at the peak in December 2025, more than 18,000 routers were part of this surveillance network.
What is DNS hijacking and how did it enable token theft?
DNS (Domain Name System) is like the internet's phonebook—it converts human-friendly website names (e.g., office.com) into numerical IP addresses. In a DNS hijacking attack, the attackers interfere with this process. After compromising the routers, they configured the DNS settings to send users to fake websites that looked legitimate. Once a user logged into Microsoft Office and received an OAuth authentication token (a piece of data that grants access without needing a password again), the attackers intercepted that token. Since the token is transmitted only after successful login, the hackers could then use it to access the victim's Office session without triggering alarms.
What types of devices were targeted?
The campaign focused almost exclusively on older, unsupported, or far-behind-on-updates Mikrotik and TP-Link routers. These are typically used in small office/home office (SOHO) environments and often lack security patches. The attackers did not target enterprise-grade routers but rather the cheap, often forgotten devices that still connect critical networks. Because these routers are end-of-life, they contain known vulnerabilities that the GRU hackers could exploit without needing to develop new zero-day exploits.
How many organizations and users were affected?
Microsoft identified more than 200 organizations and 5,000 consumer devices caught up in the spying network. At the peak in December 2025, over 18,000 internet routers were compromised. The sheer scale shows that the GRU hackers targeted both government and private-sector networks, with a focus on siphoning authentication tokens from Microsoft Office users across a wide range of entities.
What were the main targets of this campaign?
According to a report from Lumen's Black Lotus Labs, the primary targets included government agencies—especially ministries of foreign affairs—as well as law enforcement entities and third-party email providers. The attackers aimed to steal OAuth tokens from these high-value targets to gain persistent access to their Microsoft Office sessions and sensitive data. The U.K.'s National Cyber Security Centre (NCSC) also issued an advisory detailing how Russian cyber actors have been compromising routers, underlining the threat to government and critical infrastructure.
What can organizations do to protect against such attacks?
To defend against DNS hijacking and router compromise, organizations should regularly update router firmware and replace end-of-life devices with supported models. It's critical to monitor DNS settings for unauthorized changes and use secure authentication methods such as multi-factor authentication (MFA) to reduce the reliance on OAuth tokens alone. Additionally, network administrators should audit all connected routers, especially older SOHO devices, and consider using DNS over HTTPS (DoH) or other encrypted DNS protocols. For more information on safeguarding routers, refer to the DNS hijacking section above.