10 Critical Insights into Russia's Router Hijacking Campaign to Steal Microsoft Office Tokens

In a sophisticated cyber espionage operation, hackers affiliated with Russia's GRU military intelligence have been exploiting vulnerabilities in outdated routers to silently harvest Microsoft Office authentication tokens. This campaign, uncovered by Lumen's Black Lotus Labs and Microsoft, targeted over 200 organizations and 5,000 consumer devices globally. Unlike typical malware-laden attacks, this one required no malicious code—just clever manipulation of router settings. Here are the ten key facts you need to understand about this stealthy threat.

1. The Attackers: Russia's Forest Blizzard Group

The cyber operation is attributed to Forest Blizzard, a threat actor also known as APT28 or Fancy Bear, which operates under Russia's General Staff Main Intelligence Directorate (GRU). This group gained notoriety for interfering in the 2016 U.S. presidential election by hacking the Democratic National Committee and Hillary Clinton's campaign. In this campaign, they demonstrated continued capability to conduct large-scale espionage without deploying traditional malware.

2. No Malware Needed – Router Exploitation Instead

Forest Blizzard exploited known vulnerabilities in older, unsupported routers—primarily Mikrotik and TP-Link devices marketed to small offices and home users. By exploiting these flaws, the hackers altered the router's Domain Name System (DNS) settings without installing any malicious software. This allowed them to create a wide-reaching surveillance network that affected over 18,000 routers at its peak in December 2025.

3. DNS Hijacking: The Core Technique

DNS (Domain Name System) translates human-readable website names into IP addresses. In a DNS hijacking attack, the hackers redirected users trying to access legitimate sites to malicious servers controlled by them. As explained by the UK's National Cyber Security Centre (NCSC), this subtle interference enables attackers to intercept login credentials, cookies, and authentication tokens—all without the user or network administrator noticing anything amiss.

4. OAuth Tokens: The Prime Target

Microsoft Office users authenticate via OAuth tokens, which act as digital keys proving a user has already logged in. Normally transmitted after successful authentication, these tokens are valuable because they grant persistent access to email, documents, and cloud services. By intercepting them, Forest Blizzard could silently access corporate and government accounts without triggering passwords or multi-factor authentication prompts.

5. Scale: 18,000 Routers, 200 Organizations Affected

The campaign's reach was staggering. Lumen's Black Lotus Labs identified that at the height of activity, over 18,000 routers were compromised, spanning more than 200 organizations and 5,000 consumer devices. The hackers maintained a low profile by using virtual private servers to act as malicious DNS resolvers, ensuring their surveillance network remained operational for months without detection.

6. Primary Targets: Government and Law Enforcement

According to Lumen's report, the hackers focused on high-value targets: ministries of foreign affairs, law enforcement agencies, and third-party email providers. These entities handle sensitive diplomatic communications, law enforcement operations, and critical data. The attack likely aimed to gather intelligence on foreign policy and security matters, aligning with GRU's strategic espionage objectives.

7. How the Hackers Controlled the Routers Remotely

After exploiting router vulnerabilities, the attackers modified the devices' DNS configuration to point to their own servers. All users on the local network—whether employees, visitors, or IoT devices—were then directed through these malicious DNS servers. The attackers could easily propagate changes to every connected device, creating a broad net for harvesting tokens.

8. Why Older Routers Were Vulnerable

The targeted routers were either end-of-life models or far behind on security patches. Mikrotik and TP-Link devices in the SOHO market often lack automatic updates and are neglected by users. The GRU hackers took advantage of these weaknesses, showing how legacy infrastructure can become a weak link in organizational security. Regular firmware updates and replacing outdated routers are critical defenses.

9. The Role of Security Researchers and Microsoft

Microsoft disclosed the campaign through a blog post, while Lumen's Black Lotus Labs detailed the technical analysis. The UK's NCSC also issued a joint advisory explaining the DNS hijacking method and offering mitigation steps. Their collaboration highlights the importance of public-private partnerships in exposing advanced persistent threats (APTs) and helping organizations defend themselves.

10. Protecting Against Similar Attacks

To defend against DNS hijacking, organizations should ensure routers are updated, disable remote administration if not needed, use encrypted DNS (like DNS-over-HTTPS), and monitor for unauthorized DNS changes. Additionally, implementing token-binding techniques (such as Proof-of-Possession tokens) can prevent intercepted tokens from being reused. User awareness and regular security audits remain essential in countering state-sponsored cyber threats.

This campaign underscores the evolving tactics of nation-state hackers, who increasingly rely on simple but effective methods like router exploitation to bypass traditional defenses. By understanding how Forest Blizzard operated—and taking proactive steps to secure network infrastructure—organizations can reduce their risk of falling victim to token theft and unauthorized access.