State-backed hackers from Russia’s military intelligence have been exploiting outdated home and small-office routers to harvest authentication tokens from Microsoft Office users, according to security researchers and Microsoft. The campaign, which targeted more than 18,000 networks, allowed attackers to bypass multi-factor authentication and gain direct access to sensitive accounts without deploying a single piece of malicious software.
The operation was carried out by a threat actor known as Forest Blizzard—also identified as APT28 and Fancy Bear. This group is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU), the same entity linked to the 2016 interference in the U.S. Presidential election involving the Democratic National Committee and the Hillary Clinton campaign.
Microsoft reported that the operation affected more than 200 organizations and 5,000 consumer devices. By manipulating the core way routers direct internet traffic, the attackers were able to quietly siphon OAuth authentication tokens, which act as digital keys for users who have already logged into their accounts.
Given that these tokens are generated after a user has already passed through a login screen and completed multi-factor authentication (MFA), the hackers could enter victim accounts without needing to steal passwords or intercept one-time security codes.
The ‘Graybeard’ Method of DNS Hijacking
Unlike modern cyberattacks that often rely on sophisticated “zero-day” exploits or complex malware, Forest Blizzard used a technique security experts describe as an “old-school” approach. The attackers targeted older Mikrotik and TP-Link devices—specifically those marketed for Small Office/Home Office (SOHO) leverage—that were either end-of-life, unsupported, or missing critical security updates.
The core of the attack is known as DNS hijacking. The Domain Name System (DNS) is essentially the phonebook of the internet. it translates a human-readable address, like outlook.office.com, into a numeric IP address that computers understand. By exploiting known vulnerabilities in these routers, the GRU hackers modified the DNS settings to point toward virtual private servers they controlled.
Once the router was reconfigured, every user on that local network was subject to the hijacked settings. This allowed the attackers to perform “adversary-in-the-middle” (AiTM) attacks on Transport Layer Security (TLS) connections. Specifically, they targeted Microsoft Outlook on the web domains to intercept the tokens required for account access.
Ryan English, a security engineer at Black Lotus Labs (a division of the internet backbone provider Lumen), noted that the simplicity of the attack was its strength. “Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,” English said. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”

A Shift in Tactics and Scale
The scale of this operation appears to have evolved in direct response to public security warnings. According to Danny Adamitis, an engineer at Black Lotus Labs, Forest Blizzard previously used malware to control a much smaller, more targeted group of routers. Though, after the U.K.’s National Cyber Security Centre (NCSC) released a report in August 2025, the group pivoted.
Almost immediately after the NCSC’s findings became public, the group abandoned the malware-heavy approach in favor of the mass-altering of DNS settings. This shift allowed them to move from surgical strikes to a systemic “dragnet” approach, targeting any vulnerable router they could find. At the peak of this activity in December 2025, the surveillance network had ensnared over 18,000 routers.
Lumen’s reporting indicates that the primary targets were high-value government entities, including law enforcement agencies, ministries of foreign affairs, and third-party email providers. By compromising the router—the gateway to the network—the attackers could monitor traffic for an entire office or agency without needing to infect individual laptops or phones.
National Security and the FCC’s Hardware Ban
This breach has added fuel to an ongoing debate in the United States regarding the security of foreign-made networking hardware. TP-Link, one of the brands most frequently exploited in this campaign, had already been under scrutiny by U.S. Regulators.
On March 23, the U.S. Federal Communications Commission (FCC) announced a significant policy shift, stating it would no longer certify consumer-grade internet routers produced outside of the United States. The FCC characterized poorly secured, foreign-made routers as an “untenable national security threat” that could be used to disrupt critical infrastructure or harm U.S. Citizens.
| Metric/Detail | Finding |
|---|---|
| Peak Router Compromises | 18,000+ networks (Dec 2025) |
| Affected Entities | 200+ organizations / 5,000+ consumers |
| Primary Hardware | Older Mikrotik and TP-Link SOHO devices |
| Attack Vector | DNS Hijacking / AiTM (No malware used) |
| Primary Goal | Harvesting Microsoft Office OAuth tokens |
Even as the FCC’s policy aims to harden the U.S. Perimeter, some experts argue that the move may severely limit the availability of new consumer routers, as few are produced domestically—with the exception of certain specialized hardware like Starlink’s Texas-made routers. The FCC has noted that the policy does not affect routers already purchased and that manufacturers can apply for “conditional approval” via the Department of Homeland Security or the Department of War.
How to Protect Your Network
For those using small office or home office (SOHO) equipment, the primary takeaway is the danger of “end-of-life” hardware. When a manufacturer stops providing security updates for a router, known vulnerabilities remain open permanently, providing a permanent doorway for state-sponsored actors.
Security experts recommend the following steps to mitigate the risk of DNS hijacking:
- Audit Hardware: Replace routers that are no longer supported by the manufacturer with current models that receive active security patches.
- Update Firmware: Ensure all networking gear is running the latest available firmware.
- Monitor DNS Settings: Regularly check router configurations to ensure DNS servers have not been changed to unknown IP addresses.
- Use Secure DNS: Consider implementing encrypted DNS (DNS over HTTPS or DNS over TLS) to prevent third parties from seeing or altering requests.
The next phase of this conflict will likely involve further updates from the NCSC and Microsoft as they track how Forest Blizzard adapts its infrastructure to avoid detection. Users and organizations are encouraged to monitor official security advisories for updated lists of compromised indicators.
Do you use older SOHO hardware in your home or business? Share your thoughts or questions in the comments below.
