How Russian Hackers Exploited Old Routers to Steal Microsoft Office Credentials

Introduction

In a sophisticated espionage campaign, hackers linked to Russia's military intelligence have been exploiting known vulnerabilities in outdated Internet routers to harvest authentication tokens from Microsoft Office users. This stealthy operation, which reached its peak in December 2025, affected over 200 organizations and 5,000 consumer devices across more than 18,000 networks. Researchers warn that the attackers managed to siphon credentials without deploying any malicious software, making the attack remarkably difficult to detect.

The Attack Mechanism: DNS Hijacking via Router Compromise

Security experts from Black Lotus Labs, the research division of Lumen Technologies, uncovered that the threat actor known as "Forest Blizzard" (also tracked as APT28 and Fancy Bear) targeted mostly end-of-life routers—particularly older models from MikroTik and TP-Link marketed to small offices and home users. By leveraging known security flaws, the hackers altered the Domain Name System (DNS) settings on these devices without installing any malware on the routers themselves.

How DNS Hijacking Works

DNS is the system that translates user-friendly website names (like example.com) into IP addresses that computers use to communicate. In this hijacking attack, Forest Blizzard reconfigured the routers to point to DNS servers controlled by them. Once a user tried to access a legitimate website, the malicious DNS servers could redirect them to fake pages designed to steal login information or, more critically, intercept OAuth authentication tokens.

Stealing OAuth Tokens Without Detection

OAuth tokens are used by Microsoft Office and many other services to grant access after a user logs in. Because these tokens are transmitted after successful authentication, intercepting them allows attackers to hijack sessions without needing passwords. The DNS hijacking meant that all users on a compromised local network would have their OAuth tokens silently redirected to the hackers' servers. This method required no code execution on the victim's device, making it a clean and stealthy espionage tool.

Targets and Attribution

According to Microsoft, Forest Blizzard focused primarily on government agencies, including ministries of foreign affairs, law enforcement bodies, and third-party email providers. The group is attributed to Unit 26165 of Russia's Main Intelligence Directorate (GRU)—the same military intelligence unit responsible for the 2016 Democratic National Committee hack and other high-profile cyber operations. The UK's National Cyber Security Centre (NCSC) issued a joint advisory detailing these router compromises, emphasizing the global threat posed by Russian state-backed hackers.

Router Selection: Unsupported and Unpatched Devices

The hackers specifically targeted routers that were either unsupported (end-of-life) or far behind on security updates. By focusing on these devices, they exploited the lack of manufacturer support and the difficulty users face in keeping firmware current. Black Lotus Labs noted that the attack required only publicly known vulnerabilities, meaning organizations could have protected themselves with timely patches. Yet, many smaller offices and consumer homes remained vulnerable.

Scale and Impact

At its peak in December 2025, the surveillance network ensnared more than 18,000 routers. The campaign affected over 200 organizations, including those in government and law enforcement, as well as 5,000 consumer devices. The attackers did not need to deploy malware on the routers; they simply modified DNS settings to include their own malicious servers. Once a router was compromised, all local network traffic could be intercepted, allowing mass token theft.

How to Protect Against Router-Based DNS Hijacking

To defend against such attacks, users and organizations should:

• Regularly check for and apply firmware updates for all network devices, especially routers.
• Replace outdated or end-of-life routers with newer models that receive security patches.
• Change default router passwords and disable remote administration features.
• Monitor DNS settings for unauthorized changes and use DNSSEC where possible.
• Implement network segmentation and enforce strong authentication for administrative access.

Conclusion

The Forest Blizzard campaign highlights a growing trend where state-backed attackers exploit neglected network infrastructure rather than traditional malware. By hijacking DNS on old routers, they can silently steal authentication tokens from thousands of users. This incident underscores the importance of securing every device on a network, especially the humble router that often remains unpatched and forgotten. Organizations and individuals alike must treat router security as a critical component of their overall cyber defense strategy.

For more details, refer to the original advisories from Microsoft, Black Lotus Labs, and the NCSC.