GRU Hackers Hijack Thousands of Routers in Massive Token Theft Operation

Breaking: State-Backed Spies Exploit Aging Routers to Steal Microsoft Office Tokens

Hackers linked to Russia's military intelligence (GRU) have compromised over 18,000 outdated Internet routers to silently harvest authentication tokens from Microsoft Office users, security researchers warned today. The campaign, attributed to the threat actor known as Forest Blizzard (APT28/Fancy Bear), affected more than 200 organizations and 5,000 consumer devices without deploying any malware.

Researchers at Black Lotus Labs, part of Lumen Technologies, discovered that at the peak of operations in December 2025, the attackers targeted unsupported end-of-life routers—mainly Mikrotik and TP-Link devices used in small offices and homes. By modifying DNS settings, they redirected users to malicious servers to intercept OAuth tokens transmitted after successful logins.

"This is a remarkably simple yet devastatingly effective attack," said Ryan English, Security Engineer at Black Lotus Labs. "The GRU didn't need to install any software on the routers. They just exploited known vulnerabilities to change the DNS configuration, then siphoned token after token from unsuspecting users."

Scope and Targets

Microsoft confirmed in a blog post that the hacking group compromised routers belonging to government agencies, including ministries of foreign affairs and law enforcement, as well as third-party email providers. The UK's National Cyber Security Centre (NCSC) issued a separate advisory detailing how Russian cyber actors are compromising routers to conduct DNS hijacking.

"DNS is the phonebook of the internet," the NCSC report states. "By corrupting this process, attackers can redirect users to fake websites that steal credentials. The attack is stealthy because the user never notices the redirection."

Background: Who is Forest Blizzard?

Forest Blizzard—also known as APT28 and Fancy Bear—is attributed to Russia's General Staff Main Intelligence Directorate (GRU). The group gained infamy for hacking the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee during the 2016 U.S. presidential election. Their modus operandi has consistently involved exploiting router vulnerabilities to establish persistent access.

The current campaign targets unsupported or unpatched routers that are no longer receiving security updates. English noted that many of the compromised devices were end-of-life models, making them easy prey. "These routers are everywhere—in home offices, small businesses, even some government annexes. They're forgotten, unmanaged, and wide open."

What This Means: A New Front in Cyber Espionage

OAuth tokens are the digital keys that allow users to remain logged into services like Microsoft Office 365 without repeatedly entering passwords. By stealing these tokens, hackers can bypass multi-factor authentication and access email, documents, and other sensitive data as if they were the legitimate user. The attack requires no ransomware, no phishing emails—just a compromised router.

"This method is a game changer," said a cybersecurity analyst who requested anonymity. "Organizations spend millions on endpoint protection and email filters. But if the router is compromised, none of that matters. The tokens are stolen before they ever reach the cloud."

Lumen's report warns that any organization using older Mikrotik or TP-Link routers should immediately update firmware or replace the devices. The NCSC recommends all users to review their DNS settings and ensure they are not pointed to unknown servers. Microsoft has added detection capabilities for this attack pattern in its Defender for Office 365 product.

As of today, the GRU's router hijacking campaign remains active. Security teams worldwide are racing to identify and remediate compromised routers before more tokens are stolen.