In a sophisticated spying campaign that has alarmed cybersecurity experts, hackers linked to Russia's military intelligence have been exploiting known vulnerabilities in outdated routers to silently harvest authentication tokens from Microsoft Office users. The operation, which affected more than 18,000 networks, did not require the deployment of any malicious software, making it exceptionally difficult to detect.

The Threat Actor: Forest Blizzard

This campaign is attributed to Forest Blizzard, a threat actor also known as APT28 and Fancy Bear. These groups are tied to the military intelligence units within Russia's General Staff Main Intelligence Directorate (GRU). Forest Blizzard gained notoriety for its involvement in the 2016 U.S. presidential election interference, where it compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee.

The Method: DNS Hijacking via Router Vulnerabilities

Targeting Unsupported SOHO Routers

The hackers focused on older routers, specifically those from MikroTik and TP-Link marketed to the Small Office/Home Office (SOHO) market. Many of these devices were either end-of-life or significantly behind on security updates. According to a report from Black Lotus Labs, the security division of internet backbone provider Lumen, at the peak of its activity in December 2025, the surveillance dragnet ensnared over 18,000 routers.

Modifying DNS Settings Without Malware

Rather than installing malware on the routers, Forest Blizzard exploited known vulnerabilities to modify the Domain Name System (DNS) settings. They reconfigured the routers to use DNS servers controlled by the attackers. As the U.K.'s National Cyber Security Centre (NCSC) notes, DNS is the system that translates familiar web addresses into IP addresses. In a DNS hijacking attack, the bad actors intercept this process to covertly redirect users to malicious websites designed to steal login credentials or other sensitive information.

Intercepting OAuth Authentication Tokens

By controlling the DNS, the attackers could propagate their malicious settings to all users on the local network. Critically, this allowed them to intercept OAuth authentication tokens transmitted by users after a successful login. These tokens are typically exchanged without re-prompting for credentials, making them a prime target for stealthy access to Microsoft Office accounts. No additional malware was needed on the user's device.

Scale and Impact

Microsoft reported that the operation affected more than 200 organizations and 5,000 consumer devices. The primary targets included government agencies—especially ministries of foreign affairs, law enforcement bodies, and third-party email providers. Ryan English, a security engineer at Black Lotus Labs, emphasized that the GRU hackers did not need to install any code on the routers; they simply leveraged known flaws to alter DNS configurations.

Detection and Response

Microsoft disclosed the campaign in a blog post, noting the stealthy but remarkably simple nature of the spying network. Black Lotus Labs' report provided technical details on the DNS hijacking technique. Meanwhile, the NCSC issued an advisory detailing how Russian cyber actors have been compromising routers to carry out such attacks. The advisory encourages organizations to update firmware, disable remote management, and monitor for suspicious DNS changes.

Conclusion: A Wake-Up Call for Router Security

This campaign underscores the importance of keeping network hardware up to date, especially for SOHO routers that often lack automatic security patches. The attack's simplicity—requiring no malware—highlights how fundamental internet infrastructure can be turned into a surveillance tool. As Forest Blizzard continues to evolve, defenders must prioritize router hygiene and proactive monitoring to prevent similar hijacking operations.