In a sophisticated cyberespionage campaign, hackers linked to Russia's military intelligence unit (GRU) have been exploiting vulnerabilities in outdated internet routers to harvest authentication tokens from Microsoft Office users. This attack, attributed to the threat actor known as Forest Blizzard (also APT28 or Fancy Bear), has affected thousands of networks without deploying malware on the routers themselves. Below are key questions and answers about this campaign.
- Who is behind this attack and what is their goal?
- How did the hackers compromise routers without installing malware?
- What types of routers were targeted and why?
- How many organizations and devices were affected?
- What is DNS hijacking and how was it used here?
- What is an OAuth token and why is it valuable to attackers?
- Which organizations were primarily targeted?
Who is behind this attack and what is their goal?
The attack is attributed to Forest Blizzard, a threat actor also known as APT28 or Fancy Bear. This group is linked to Russia's General Staff Main Intelligence Directorate (GRU). Their primary goal is cyberespionage: they aim to stealthily collect authentication tokens from Microsoft Office users on compromised networks. By doing so, they can gain persistent access to sensitive data, including emails and documents, without triggering security alerts. This group previously gained notoriety for interfering in the 2016 U.S. presidential election by hacking the Hillary Clinton campaign and the Democratic National Committee. In this campaign, they targeted government agencies, law enforcement, and third-party email providers, using a low-tech but effective method that avoids leaving malware on routers.
How did the hackers compromise routers without installing malware?
The hackers exploited known vulnerabilities in older, unpatched routers. Instead of deploying malicious software on the devices, they modified the DNS (Domain Name System) settings of the routers. By changing these settings to point to DNS servers they controlled, they could intercept and redirect network traffic. This technique is known as DNS hijacking. Once a router was compromised, all users on that local network were affected. The attackers did not need to install any malware on the router because they simply used existing weaknesses to change configuration parameters. This made the attack harder to detect, as no new files or processes appeared on the devices.
What types of routers were targeted and why?
The attackers primarily targeted older Mikrotik and TP-Link devices marketed to the Small Office/Home Office (SOHO) market. According to Black Lotus Labs, most of these routers were end-of-life or significantly behind on security updates. Such devices are common in government annexes, small businesses, and remote offices. They are often neglected by IT teams, making them easy prey. The hackers specifically looked for routers with known vulnerabilities that allowed remote configuration changes. By focusing on these outdated models, the threat actors maximized the number of devices they could compromise with minimal effort.
How many organizations and devices were affected?
Microsoft reported that more than 200 organizations and approximately 5,000 consumer devices were caught up in the spying network. At its peak in December 2025, Forest Blizzard's surveillance dragnet ensnared over 18,000 internet routers. These numbers highlight the scale of the operation, which targeted networks globally. The affected organizations included government ministries, law enforcement agencies, and third-party email providers, among others. The researchers from Black Lotus Labs noted that the attack was remarkably simple yet widespread, leveraging the sheer volume of compromised routers to harvest OAuth tokens from millions of users.
What is DNS hijacking and how was it used here?
DNS hijacking is an attack where malicious actors interfere with the Domain Name System (DNS) resolution process. Normally, when a user types a web address, a DNS server translates it into the correct IP address. In this campaign, the hackers changed the router's DNS settings to point to attacker-controlled DNS servers. These rogue servers then redirected users to fraudulent websites designed to look like legitimate Microsoft Office login pages. When users entered their credentials and OAuth tokens, the attackers captured them. Because the redirection happened at the router level, all devices on the network were vulnerable. The UK's National Cyber Security Centre (NCSC) warned that this technique is increasingly used by Russian cyber actors.
What is an OAuth token and why is it valuable to attackers?
OAuth tokens are digital credentials that allow applications to access a user's data without requiring their password each time. For example, when you log into a third-party app with your Microsoft account, an OAuth token is exchanged. These tokens are typically transmitted after a user successfully logs in, meaning the attacker can bypass multi-factor authentication and gain direct access to resources. By stealing these tokens, the hackers could impersonate users and read emails, download files, and access cloud services without triggering alarms. The tokens are short-lived but can be refreshed, giving persistent access. This made them a prime target for Forest Blizzard's espionage campaign.
Which organizations were primarily targeted?
According to Lumen's Black Lotus Labs, Forest Blizzard focused on government agencies—including ministries of foreign affairs—law enforcement bodies, and third-party email providers. The attackers likely aimed to collect diplomatic communications, law enforcement data, and access to mail systems that could serve as jumping-off points for further espionage. The choice of targets aligns with the GRU's known interest in political and strategic intelligence. By compromising routers used by these organizations, the hackers could monitor internal traffic and harvest tokens from employees logging into Office 365 and other Microsoft services.