10 Key Facts About Russia's Router Hijacking Campaign to Steal OAuth Tokens

In a sophisticated cyber espionage campaign, Russian military hackers have been exploiting outdated home and small-office routers to silently steal authentication tokens from Microsoft Office users worldwide. By manipulating the Domain Name System (DNS) settings of vulnerable devices, the threat group known as Forest Blizzard (also APT28 or Fancy Bear) intercepted OAuth tokens without deploying any malware. This article breaks down the ten most critical aspects of this operation, from the attackers' identity and methods to the scale of compromise and how organizations can defend against such threats. For a deeper look at the group's history, jump to item one.

1. The Threat Actor: Forest Blizzard

Forest Blizzard is the designation Microsoft uses for a hacking collective tied to Russia's Main Intelligence Directorate (GRU). Better known as APT28 or Fancy Bear, this group has been active for over a decade, infamous for its 2016 operations against the Democratic National Committee and Hillary Clinton's campaign. Their current campaign focuses on credential harvesting via router exploitation, demonstrating a shift from overt election interference to quieter, persistent surveillance. According to Lumen's Black Lotus Labs, the group targeted government agencies, law enforcement, and third-party email providers, aiming to collect intelligence from high-value networks.

2. The Attack Vector: Old Routers with Known Flaws

The hackers zeroed in on unsupported or end-of-life routers, primarily from Mikrotik and TP-Link, which are popular in the small office/home office (SOHO) market. These devices often lack the latest security patches, making them easy prey. Forest Blizzard didn't need to install malicious code; instead, they used publicly known vulnerabilities to change the routers' DNS settings. Once altered, the routers directed all network traffic through DNS servers controlled by the attackers, laying the groundwork for data interception.

3. No Malware Required

A key element of this operation is its “fileless” nature. The attackers never uploaded malware to the compromised routers. By simply reconfiguring the DNS settings, they could hijack all network traffic from any device connected to the local network. This made detection extremely difficult—traditional antivirus or endpoint protection would not flag any anomalies. The absence of malicious binaries also helped the operation fly under the radar for months, with peak activity observed in December 2025.

4. Targets: Governments and Emails Providers

Black Lotus Labs reported that the prime targets were ministries of foreign affairs, law enforcement bodies, and third-party email providers. The attackers aimed to capture OAuth authentication tokens for Microsoft Office services, including Outlook and Teams. By stealing these tokens, they could impersonate legitimate users and access sensitive email and documents without needing passwords. The campaign ensnared over 200 organizations and 5,000 consumer devices, as noted in Microsoft's advisory.

5. Massive Scale: 18,000 Routers Hijacked

At its peak, the operation compromised more than 18,000 internet routers worldwide. This was not a small-scale test—it was a systematic, global surveillance campaign. The routers were concentrated in Europe and North America, but the impact rippled across countless networks. Each compromised router could affect dozens of users, meaning the actual number of potential victims likely exceeded the 200 organizations and 5,000 devices publicly identified by Microsoft.

6. How OAuth Tokens Were Stolen

OAuth tokens are digital passes that allow users to access services like Microsoft Office without repeatedly entering credentials. When a user on a hijacked network tried to log in to Office, the attacker-controlled DNS servers would redirect them to a fake site that looked identical to the real one. Once the user authenticated, the token was sent to the attackers. Since the token is typically transmitted after successful login, the user had no idea their session had been compromised.

7. The Role of DNS Hijacking

DNS hijacking is a classic but effective technique. Under normal circumstances, DNS translates domain names (like office.com) into IP addresses. By reconfiguring the router, the attackers could replace legitimate IP addresses with their own malicious servers. The user’s browser would then connect to a fake portal that captured login sessions. The UK's National Cyber Security Centre (NCSC) issued a formal advisory detailing exactly how Russian actors are using this method, urging organizations to verify router DNS configurations.

8. Microsoft's Response and Detection

Microsoft's Threat Intelligence team identified the campaign after analyzing anomalous authentication traffic. In a blog post, they detailed how Forest Blizzard targeted hundreds of organizations and thousands of consumers. The tech giant worked with Lumen's Black Lotus Labs and law enforcement to trace the attacks back to GRU infrastructure. Recommendations included enabling multi-factor authentication and monitoring for unusual OAuth token usage. However, because the tokens are valid credentials, detecting abuse requires behavioral analytics.

9. Implications for SOHO Router Security

This campaign shines a harsh light on the risks of using outdated networking equipment. Many SOHO routers reach end-of-life status without receiving critical firmware updates. Organizations and individuals must regularly check for firmware patches, disable remote management, and change default credentials. Additionally, using DNS over HTTPS (DoH) or provider-approved DNS can help prevent external tampering. Lumen's researchers noted that most compromised routers were running old firmware with known vulnerabilities listed in public databases.

10. How to Protect Against Router-Based DNS Hijacking

Defense starts with inventory: know all routers on your network and ensure they are supported. Change the default admin password, disable WAN access to the router’s administration interface, and enable logging to detect unauthorized configuration changes. For organizations, deploying network segmentation and using secure DNS services (e.g., from cloud providers) mitigates the risk. The NCSC recommends validating DNS settings against known good baselines and monitoring for unexpected redirects. Finally, educate users about phishing—tokens can also be stolen via convincing fake login pages.

This campaign demonstrates that even without installing malware, state-sponsored hackers can harvest valuable credentials on a massive scale. The old routers in our closets are the new front line of cyber warfare. By staying vigilant and applying basic security hygiene, both individuals and enterprises can reduce their exposure to similar attacks.