In a sophisticated cyber espionage campaign, hackers linked to Russia's military intelligence (GRU) exploited vulnerabilities in outdated routers to secretly harvest authentication tokens from Microsoft Office users. This operation, attributed to the threat group known as Forest Blizzard (also called APT28 or Fancy Bear), affected over 18,000 networks and more than 200 organizations, including government agencies and email providers. Unlike many attacks, this one required no malware, instead relying on DNS hijacking to intercept login credentials. Below, we answer key questions about how this attack worked and its implications.
What is Forest Blizzard and how is it linked to Russia?
Forest Blizzard is a cyber espionage group attributed to the General Staff Main Intelligence Directorate (GRU) of Russia. It is also known as APT28 and Fancy Bear. The group gained notoriety for interfering in the 2016 U.S. presidential election by hacking the Democratic National Committee, Hillary Clinton's campaign, and the Democratic Congressional Campaign Committee. This time, they targeted government institutions—primarily ministries of foreign affairs, law enforcement agencies, and third-party email providers—to steal authentication tokens from Microsoft Office users. The GRU's involvement underscores the Russian state's ongoing efforts to collect sensitive intelligence through stealthy, low-tech methods that avoid direct malware deployment.
How did the hackers compromise routers without installing malware?
The attackers exploited known vulnerabilities in older routers, particularly Mikrotik and TP-Link devices marketed to small offices and home offices. These routers were often end-of-life or far behind on security updates. Instead of installing malicious software, the hackers modified the routers' DNS settings via simple, publicly known exploits. By changing the DNS server addresses to ones they controlled, they hijacked the domain name resolution process. This allowed them to redirect traffic from legitimate websites to malicious spoofed sites. The technique is called DNS hijacking, and it required no additional code on the routers—only the existing flaws. All users on the compromised local network were then susceptible to having their OAuth tokens intercepted when logging into Microsoft Office services.
What is DNS hijacking and how did it enable token theft?
DNS (Domain Name System) translates human-friendly website names into IP addresses. In a DNS hijacking attack, attackers alter the DNS settings on a network device so that queries for legitimate domains—like login.microsoftonline.com—are answered with the IP addresses of malicious servers controlled by the hackers. Those servers then present a fake but convincing login page. When the user enters their credentials and passes authentication, the legitimate OAuth token is generated and sent to Microsoft's real servers. However, the attackers intercept that token because they placed themselves in the middle of the communication. The token is then used to assume the user's identity without needing a password. In this campaign, the token theft occurred silently after the user had already authenticated, making it particularly hard to detect.
What types of devices and networks were targeted?
The hackers focused on older, unsupported routers from Mikrotik and TP-Link that are commonly used in small offices and home offices. These devices are often neglected by users who do not apply security patches. At the campaign's peak in December 2025, over 18,000 routers were compromised. The networks behind these routers belonged to a wide range of entities, but the primary targets were government agencies, including ministries of foreign affairs and law enforcement. Private sector third-party email providers were also hit. In total, Microsoft identified more than 200 organizations and 5,000 consumer devices affected. The attackers didn't discriminate between high-value and low-value targets—they mass-harvested tokens from any user on the compromised networks.
How many organizations and users were affected?
According to Microsoft's blog post, the campaign impacted more than 200 organizations and 5,000 consumer devices. Additionally, Lumen's Black Lotus Labs reported that over 18,000 networks were ensnared in the surveillance dragnet. The actual number of users could be much higher, as each network may serve multiple people. The attackers targeted government departments, law enforcement, and email providers, but tokens were harvested indiscriminately from all users of those networks. The scope of the campaign demonstrates the effectiveness of using compromised routers as a mass surveillance platform, allowing the GRU to collect authentication tokens on a scale far beyond what traditional spear-phishing would achieve.
What is an OAuth token and why is it valuable to attackers?
An OAuth token is a digital credential that allows a user to access a service (like Microsoft Office 365) without repeatedly entering their password. It is issued after successful login and contains proof of authentication and authorization. Attackers who steal these tokens can use them to impersonate the user and access their emails, files, and other sensitive data—without ever needing the password. Even if the user changes their password later, the token often remains valid until it expires. This makes OAuth tokens a prime target. In this campaign, the hackers intercepted tokens as they flowed from users to Microsoft's authentication servers. Once in possession of a token, they could enter the user's account undetected, exfiltrate data, and maintain persistent access without raising alarms.
How can organizations protect against such router-based attacks?
To defend against DNS hijacking and similar router compromises, organizations should first ensure all network devices are up-to-date with the latest firmware. Replace end-of-life routers that no longer receive security patches. Use strong, unique passwords for router administration and disable remote management if not needed. Implement DNS security extensions (DNSSEC) to validate DNS responses. Monitor DNS traffic for unusual patterns, such as unexpected redirects. Additionally, enforce multi-factor authentication on all user accounts; while not foolproof, it can block token replay attacks under some conditions. Finally, consider using network segmentation to limit the blast radius if a router is compromised. The UK's National Cyber Security Centre has issued specific guidance on hardening routers against Russian cyber actors.
How does this attack relate to previous APT28 campaigns?
APT28, also known as Forest Blizzard, has a long history of espionage using both sophisticated and simple techniques. In 2016, they famously targeted the Democratic National Committee and other political organizations to influence the U.S. election, using spear-phishing and malware. This new campaign continues their focus on intelligence gathering but employs a different, low-tech method: compromising routers rather than endpoints. It shows the group's adaptability and willingness to exploit common infrastructure weaknesses. Unlike their earlier operations, this one required no custom malware on the target routers, making detection harder. The GRU's ability to scan for vulnerable devices at scale and redirect traffic on 18,000 networks demonstrates a well-resourced, persistent threat that constantly evolves its tactics to achieve access to sensitive information.