Security researchers have cautioned that hackers connected to Russian military intelligence are exploiting known vulnerabilities in outdated internet routers to broadly steal authentication tokens from Microsoft Office users. A Russian state-sponsored hacking operation enabled attackers to silently steal authentication tokens from users across more than 18,000 networks without using any malware or malicious code. In a blog post today, Microsoft reported that it had uncovered over 200 organizations and 5,000 consumer devices compromised by a remarkably simple but stealthy espionage campaign conducted by the Russia-backed threat group known as “Forest Blizzard.” How the router redirected specifically targeted DNS queries. Forest Blizzard, also known as APT28 and Fancy Bear, is a threat group linked to Russia’s GRU military intelligence units. In 2016, APT 28 became notorious for breaching the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee as part of its effort to meddle in the U.S. presidential election. According to researchers at Black Lotus Labs — the security arm of backbone provider Lumen — Forest Blizzard’s surveillance operation reached its zenith in December 2025, compromising more than 18,000 Internet routers, the vast majority of which were unsupported, end-of-life devices or systems severely lagging on security patches. A fresh Lumen report indicates that the hackers mainly focused on government organizations, such as foreign affairs ministries, law enforcement bodies, and external email services. According to Black Lotus Security Engineer Ryan English, the GRU operators did not have to install any malware on the compromised routers, which were predominantly older Mikrotik and TP-Link models aimed at the small office/home office (SOHO) sector. Instead, the hackers exploited known vulnerabilities to alter the routers‘ Domain Name System (DNS) settings, inserting servers under their own control. As the U.K.’s National Cyber Security Centre (NCSC) explains in its new advisory on Russian cyber operations targeting routers, DNS is the system that lets users access websites by entering easy-to-remember addresses rather than raw IP addresses. In a DNS hijacking attack, cybercriminals disrupt this process to secretly redirect users to fake websites created to steal login credentials or other sensitive data. English stated that the routers targeted by Forest Blizzard were reconfigured to use DNS servers pointing to a small number of virtual private servers under the attackers’ control.
Krebs on Security