Cybersecurity & Privacy

Russian Military Intelligence Exploits Vulnerable Routers for Widespread Microsoft Office Token Harvesting

Photo of Lina Hope Lina HopeNovember 5, 2025
0 1 6 minutes read

Hackers identified as being linked to Russia’s military intelligence units have been systematically exploiting well-known vulnerabilities in older Internet routers to conduct a large-scale harvesting of authentication tokens from Microsoft Office users, security experts have revealed. This sophisticated spying campaign, operating without the deployment of any malicious software or code, has enabled state-backed Russian actors to quietly siphon sensitive authentication tokens from users across more than 18,000 distinct networks.

Microsoft, in a detailed blog post released today, confirmed that it had identified over 200 organizations and an additional 5,000 consumer devices caught in this stealthy yet remarkably simple spying network. This operation has been attributed to a Russia-backed threat actor known by the moniker "Forest Blizzard." The group is also recognized by cybersecurity researchers and intelligence agencies under other designations, including APT28 and Fancy Bear, and is widely believed to be affiliated with military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT28 gained notoriety for its involvement in compromising the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016, an operation aimed at interfering with the U.S. presidential election.

The extent of Forest Blizzard’s reach was detailed in a new report from Black Lotus Labs, the security division of the global Internet backbone provider Lumen. Researchers at Black Lotus Labs observed that during the peak of its activity in December 2025, Forest Blizzard’s surveillance dragnet had ensnared more than 18,000 Internet routers. A significant portion of these compromised devices were identified as either unsupported, end-of-life routers, or devices that had not received crucial security updates for an extended period. The Lumen report further indicates that the hackers primarily targeted government agencies, including ministries of foreign affairs, law enforcement entities, and third-party email providers, highlighting the strategic nature of their objectives.

The Ingenious Mechanism: DNS Hijacking Without Malware

Ryan English, a security engineer at Black Lotus Labs, elaborated on the methodology employed by the GRU hackers. He emphasized that the attackers did not need to install any malware onto the targeted routers. Instead, they leveraged existing, known vulnerabilities within the router firmware, particularly in models like Mikrotik and TP-Link devices commonly marketed to the Small Office/Home Office (SOHO) segment.

The core of the attack involved modifying the Domain Name System (DNS) settings of these vulnerable routers. By exploiting these flaws, Forest Blizzard was able to redirect DNS requests to servers that they themselves controlled. DNS is the fundamental internet infrastructure that translates human-readable website addresses, like "microsoft.com," into the numerical IP addresses that computers use to locate servers.

A Stealthy Approach to Intercepting Credentials

According to an advisory issued by the U.K.’s National Cyber Security Centre (NCSC), which also details how Russian cyber actors have been compromising routers, DNS hijacking is a potent technique. In such an attack, malicious actors interfere with the normal DNS resolution process. This redirection can covertly send users to fake, malicious websites that are designed to mimic legitimate ones, with the sole purpose of stealing login details or other sensitive personal and corporate information.

English explained that the routers compromised by Forest Blizzard were reconfigured to use DNS servers pointing to a small cluster of virtual private servers operated by the attackers. This seemingly minor alteration had a profound impact: the attackers could then propagate these malicious DNS settings to all devices connected to the compromised local network. From this vantage point, Forest Blizzard could intercept any OAuth authentication tokens transmitted by users within that network.

A critical aspect of this attack is its timing and the type of information it targets. Authentication tokens, particularly OAuth tokens, are typically generated and transmitted after a user has successfully logged into an application and, in many cases, after they have completed multi-factor authentication (MFA). This means that by intercepting these tokens, the attackers could potentially gain direct access to victim accounts without ever needing to phish for individual user credentials or one-time passcodes. This bypasses many of the standard security layers designed to protect accounts.

"Everyone is looking for some sophisticated malware to drop something on your mobile devices or something," English remarked, contrasting the perceived complexity of cyber threats with the elegant simplicity of this attack. "These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done."

Microsoft’s security team described the Forest Blizzard activity as utilizing DNS hijacking "to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains." While the targeting of SOHO devices is not a novel tactic in the realm of cyber espionage, Microsoft noted that this is the first instance they have observed of Forest Blizzard employing "DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices."

Russia Hacked Routers to Steal Microsoft Office Tokens

A Pattern of Evolving Tactics

Danny Adamitis, another engineer at Black Lotus Labs, expressed that it will be "interesting to see how Forest Blizzard reacts to today’s flurry of attention to their espionage operation." He pointed to a precedent set by the group in August 2025, when they swiftly altered their tactics in response to a similar NCSC report. At that time, Forest Blizzard was employing malware to control a more targeted and smaller group of compromised routers. However, Adamitis noted that the day following the NCSC’s report, the group abandoned the malware-centric approach in favor of the current strategy of mass-altering DNS settings on thousands of vulnerable routers.

"Before the last NCSC report came out, they used this capability in very limited instances," Adamitis stated. "After the report was released, they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable." This indicates a strategic adaptability and a willingness to pivot to more effective and scalable methods when detected.

Regulatory Scrutiny and National Security Concerns

The vulnerabilities exploited by Forest Blizzard highlight a broader issue concerning the security of network edge devices. Both Mikrotik and TP-Link, manufacturers of many of the compromised routers, have faced scrutiny regarding their device security. In fact, TP-Link had previously faced the prospect of a complete ban in the United States.

More recently, on March 23, the U.S. Federal Communications Commission (FCC) adopted a more sweeping measure. The FCC announced that it would no longer certify consumer-grade Internet routers produced outside of the United States. This decision underscores the growing concern among U.S. regulators about the national security implications of foreign-made networking equipment.

The FCC explicitly warned that foreign-made routers had become an "untenable national security threat." They emphasized that poorly secured routers present "a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons." This broad regulatory action aims to reduce the attack surface presented by potentially compromised hardware entering the U.S. market.

However, industry experts have raised questions about the practical availability of new consumer-grade routers under this new FCC policy. It is anticipated that few new devices will be available for purchase, with potential exceptions like Starlink satellite Internet routers, which are produced domestically. The FCC has stated that router manufacturers can apply for a special "conditional approval" from either the Department of Defense or the Department of Homeland Security. Importantly, the new policy does not retroactively affect any consumer-grade routers that have already been purchased and are in use by individuals and businesses.

Broader Implications and Future Outlook

The Forest Blizzard operation serves as a stark reminder of the persistent and evolving nature of state-sponsored cyber threats. By leveraging readily available exploits against widely deployed, often neglected, hardware, these actors can achieve significant impact with minimal investment in sophisticated tools. The ability to bypass multi-factor authentication through token harvesting represents a particularly concerning advancement, as it targets a critical juncture in modern security protocols.

The reliance on legacy and unpatched devices by both small businesses and potentially larger organizations creates a fertile ground for such attacks. This incident reinforces the critical need for proactive cybersecurity practices, including regular software updates, timely hardware replacement, and robust network segmentation.

The actions taken by the FCC signal a governmental recognition of the systemic risks associated with the globalized supply chain of networking hardware. However, the effectiveness of such regulatory measures will depend on their implementation and enforcement, as well as the industry’s ability to adapt and provide secure, domestically manufactured alternatives.

As Forest Blizzard and its affiliated groups continue to operate, cybersecurity professionals and organizations worldwide will be closely monitoring their next moves. The group’s demonstrated ability to adapt its tactics in response to intelligence disclosures suggests that they will likely continue to refine their methods, posing an ongoing challenge to global cybersecurity efforts. The incident underscores the complex interplay between geopolitical tensions, technological vulnerabilities, and the constant battle to secure digital infrastructure against increasingly sophisticated adversaries.

Related posts:

Tags
Photo of Lina Hope Lina HopeNovember 5, 2025
0 1 6 minutes read
Photo of Lina Hope

Lina Hope

Related Articles

Kamerin Stokes Sentenced to 30 Months in Prison for Selling Access to Tens of Thousands of Hacked DraftKings Accounts

March 1, 2026

Iran-Backed Hacktivist Group Handala Claims Responsibility for Widespread Cyberattack Against Medical Technology Giant Stryker

February 5, 2026

From Phishing to Fallout: Why MSPs Must Rethink Both Security and Recovery

December 22, 2025

Humans expect rationality and cooperation from LLM opponents in strategic games

November 30, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Snapost
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.