APT28 Exploits Vulnerable Routers in Global DNS Hijacking Campaign to Steal Microsoft OAuth Tokens

Overview

In a sophisticated yet alarmingly simple cyber espionage campaign, hackers tied to Russia's military intelligence have been exploiting aging internet routers to silently harvest authentication tokens from Microsoft Office users. The operation, attributed to the threat actor known as Forest Blizzard (also called APT28 or Fancy Bear), compromised over 18,000 routers at its peak in December 2025—without deploying any malware. Instead, attackers manipulated Domain Name System (DNS) settings to intercept OAuth authentication tokens, granting them persistent access to compromised accounts.

The Attack Method: DNS Hijacking via Router Compromise

Forest Blizzard, linked to Russia's General Staff Main Intelligence Directorate (GRU), targeted primarily unsupported or end-of-life routers from Mikrotik and TP-Link—devices commonly used in small offices and home offices (SOHO). According to security researchers at Black Lotus Labs (Lumen) and Microsoft, the hackers exploited known vulnerabilities in these routers to modify their DNS settings.

How DNS Hijacking Works

As the UK's National Cyber Security Centre (NCSC) explains, DNS acts like the internet's phonebook, translating domain names into IP addresses. In a DNS hijacking attack, the hackers reconfigured the routers to use DNS servers they controlled. This allowed them to covertly redirect users to malicious websites designed to steal login credentials or other sensitive data. Critically, the attackers could propagate these rogue DNS settings to all devices on the local network—without the need for any malware.

Targeting Outdated Routers

Black Lotus Labs found that the compromised routers were mostly older models far behind on security updates. By using known flaws, the GRU-linked hackers could modify DNS settings without installing malicious code. This made the attack particularly stealthy: network administrators saw no new software, no unexpected processes—only subtle configuration changes. At its height, the surveillance dragnet ensnared more than 18,000 routers across the globe.

Impact and Scope of the Campaign

Microsoft identified over 200 organizations and 5,000 consumer devices caught in the spy network. The primary targets were government agencies—including ministries of foreign affairs, law enforcement bodies, and third-party email providers. By intercepting OAuth tokens, the hackers could access Microsoft Office accounts even after the legitimate user logged out, effectively maintaining a backdoor into sensitive communications.

Which Organizations Were Hit?

Lumen's report highlights that Forest Blizzard focused on entities with high-value intelligence, such as foreign ministries and law enforcement agencies. The campaign also swept up third-party email providers, potentially enabling broader access to diplomatic and security-related correspondence. The attackers did not need to target each organization individually—once a router was compromised, all users on that network were at risk.

Defensive Measures Against Router-Based DNS Hijacking

To defend against such attacks, organizations should:

• Update router firmware regularly and replace end-of-life devices.
• Disable remote management on routers when not needed.
• Monitor DNS settings for unauthorized changes.
• Use secure DNS services such as DNSSEC to validate responses.
• Implement network segmentation to limit exposure of critical systems.

Conclusion

The Forest Blizzard campaign demonstrates that sophisticated state-sponsored hackers can achieve mass surveillance without complex malware—just by exploiting outdated network infrastructure. As noted earlier, the key vector was DNS hijacking through vulnerable routers. For defenders, the lesson is clear: even humble home-office routers can be a gateway for advanced persistent threats. Regular patching, vigilant monitoring, and modern DNS security practices are essential to thwart such stealthy attacks.