A sophisticated cyber-espionage campaign linked to Russia's military intelligence has been uncovered, leveraging known vulnerabilities in outdated internet routers to harvest Microsoft Office authentication tokens on a massive scale. Security experts warn that this operation, attributed to the Russian state-backed threat actor known as "Forest Blizzard" (also tracked as APT28 or Fancy Bear), has enabled hackers to stealthily siphon tokens from users across more than 18,000 networks without deploying traditional malware. By exploiting end-of-life and poorly maintained routers, the group has created a pervasive surveillance dragnet, primarily targeting government entities, law enforcement agencies, and third-party email providers.
According to a detailed report from Black Lotus Labs, the threat intelligence division of internet backbone provider Lumen, the campaign reached its peak in December 2025. The hackers focused on older, unsupported router models—primarily from manufacturers like Mikrotik and TP-Link designed for the Small Office/Home Office (SOHO) market. Crucially, the attackers did not need to install malicious software on the devices. Instead, they used known security flaws to compromise the routers and modify their Domain Name System (DNS) settings. This redirection forced user devices to use DNS servers controlled by the attackers, allowing them to intercept and harvest authentication tokens—specifically Microsoft Office 365 tokens—as users attempted to access legitimate services.
Microsoft corroborated these findings in a separate blog post, stating it had identified over 200 organizations and 5,000 consumer devices compromised by this "stealthy but remarkably simple" spying network. Forest Blizzard is a highly capable group historically attributed to Unit 26165 and Unit 74455 of Russia's GRU (Main Intelligence Directorate). The group gained global notoriety for its role in the 2016 U.S. presidential election interference, including breaches of the Democratic National Committee and the Hillary Clinton campaign. This latest campaign demonstrates a strategic shift towards exploiting foundational, often neglected network infrastructure to achieve broad, hard-to-detect access.
The technical mechanism involves DNS hijacking at the router level. When a user on a compromised network tries to access a Microsoft service like Outlook or SharePoint, their device's DNS query for the service's address is silently redirected to the attacker's server. This malicious server can then serve a fake login page or proxy the connection, capturing the user's authentication token in the process. These tokens, which verify a user's identity for a session, are highly valuable as they can be used to access the victim's emails, documents, and other resources without needing a password, often bypassing multi-factor authentication (MFA).
This campaign underscores several critical cybersecurity challenges. It highlights the persistent risk posed by end-of-life hardware that no longer receives security patches, creating a soft underbelly in global networks. It also demonstrates how nation-state actors are increasingly targeting network infrastructure itself—routers, firewalls, and VPNs—to enable widespread surveillance. For defenders, mitigation requires a multi-layered approach: aggressively phasing out unsupported hardware, enforcing strict patch management for all network devices, implementing DNS monitoring and DNSSEC to detect hijacking, and adopting a zero-trust architecture that does not inherently trust internal network traffic. The incident serves as a stark reminder that foundational security hygiene remains the first and most crucial line of defense against even the most advanced adversaries.
