GRU Hackers Hijack 18,000 Routers in Global Token Theft Campaign
By • min read
Breaking — Hackers linked to Russia’s GRU military intelligence have compromised more than 18,000 Internet routers to silently steal Microsoft Office authentication tokens from thousands of users, security researchers warned today.
The operation, tied to the threat group known as Forest Blizzard (also APT28 or Fancy Bear), targeted over 200 organizations and 5,000 consumer devices without deploying any malware, according to a joint advisory from Microsoft and Lumen's Black Lotus Labs.
Attack Method: DNS Hijacking via Old Routers
The hackers exploited known vulnerabilities in end-of-life routers, mostly MikroTik and TP-Link SOHO devices, to modify their Domain Name System (DNS) settings. By redirecting DNS queries to attacker-controlled servers, they could intercept OAuth authentication tokens sent after users logged into Microsoft services.
Source: krebsonsecurity.com
"The attackers did not need to install any malicious software on the routers," said Ryan English, a security engineer at Black Lotus Labs. "They simply altered the DNS configuration to point to their own servers, and from there could harvest tokens from everyone on the local network."
Scope and Targets
At the peak of activity in December 2025, the surveillance network ensnared routers across 18,000 distinct networks. Primary targets included ministries of foreign affairs, law enforcement agencies, and third-party email providers, the report stated.
Microsoft confirmed that it identified more than 200 organizations and 5,000 consumer devices caught in the campaign. U.K.'s National Cyber Security Centre (NCSC) issued a concurrent advisory detailing how Russian cyber actors are exploiting router weaknesses.
"DNS is the system that translates familiar web addresses into IP addresses. In a hijacking attack, the process is subverted to send users to malicious sites, often to steal credentials," the NCSC advisory noted.
Source: krebsonsecurity.com
Background
Forest Blizzard is attributed to Unit 26165 of Russia’s GRU, the same group that hacked the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee during the 2016 U.S. presidential election interference effort.
The group has a long history of targeting government and political organizations. The current campaign is notable for its simplicity: by exploiting unpatched routers, the hackers avoided triggering endpoint detection systems that typically look for malware executables.
What This Means
This campaign underscores the danger of legacy networking equipment. Most of the compromised routers were unsupported or far behind on security updates, making them easy targets. The stolen OAuth tokens could allow long-term, stealthy access to email accounts and cloud services without triggering password changes.
Organizations must audit their DNS settings, disable remote management on routers, and replace end-of-life devices. Users should enable multi-factor authentication and monitor for suspicious token use. As English put it, "This is a wake-up call that even without malware, your network can be turned against you."
This is a developing story. Check back for updates.
