Hackers linked to Russia’s army intelligence items are utilizing recognized flaws in older Web routers to mass harvest authentication tokens from Microsoft Workplace customers, safety consultants warned right now. The spying marketing campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from customers on greater than 18,000 networks with out deploying any malicious software program or code.
Microsoft stated in a weblog submit right now it recognized greater than 200 organizations and 5,000 client units that had been caught up in a stealthy however remarkably easy spying community constructed by a Russia-backed risk actor generally known as “Forest Blizzard.”
How focused DNS requests had been redirected on the router. Picture: Black Lotus Labs.
Often known as APT28 and Fancy Bear, Forest Blizzard is attributed to the army intelligence items inside Russia’s Basic Employees Most important Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton marketing campaign, the Democratic Nationwide Committee, and the Democratic Congressional Marketing campaign Committee in 2016 in an try to intervene with the U.S. presidential election.
Researchers at Black Lotus Labs, a safety division of the Web spine supplier Lumen, discovered that on the peak of its exercise in December 2025, Forest Blizzard’s surveillance dragnet ensnared greater than 18,000 Web routers that had been largely unsupported, end-of-life routers, or else far behind on safety updates. A brand new report from Lumen says the hackers primarily focused authorities businesses—together with ministries of international affairs, legislation enforcement, and third-party e mail suppliers.
Black Lotus Safety Engineer Ryan English stated the GRU hackers didn’t want to put in malware on the focused routers, which had been primarily older Mikrotik and TP-Hyperlink units marketed to the Small Workplace/Dwelling Workplace (SOHO) market. As a substitute, they used recognized vulnerabilities to switch the Area Title System (DNS) settings of the routers to incorporate DNS servers managed by the hackers.
Because the U.Okay.’s Nationwide Cyber Safety Centre (NCSC) notes in a brand new advisory detailing how Russian cyber actors have been compromising routers, DNS is what permits people to succeed in web sites by typing acquainted addresses, as a substitute of related IP addresses. In a DNS hijacking assault, unhealthy actors intervene with this course of to covertly ship customers to malicious web sites designed to steal login particulars or different delicate data.
English stated the routers attacked by Forest Blizzard had been reconfigured to make use of DNS servers that pointed to a handful of digital personal servers managed by the attackers. Importantly, the attackers may then propagate their malicious DNS settings to all customers on the native community, and from that time ahead intercept any OAuth authentication tokens transmitted by these customers.
DNS hijacking via router compromise. Picture: Microsoft.
As a result of these tokens are sometimes transmitted solely after the person has efficiently logged in and gone via multi-factor authentication, the attackers may acquire direct entry to sufferer accounts with out ever having to phish every person’s credentials and/or one-time codes.
“Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,” English stated. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”
Microsoft refers back to the Forest Blizzard exercise as utilizing DNS hijacking “to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.” The software program big stated whereas concentrating on SOHO units isn’t a brand new tactic, that is the primary time Microsoft has seen Forest Blizzard utilizing “DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”
Black Lotus Labs engineer Danny Adamitis stated will probably be attention-grabbing to see how Forest Blizzard reacts to right now’s flurry of consideration to their espionage operation, noting that the group instantly switched up its ways in response to the same NCSC report (PDF) in August 2025. On the time, Forest Blizzard was utilizing malware to manage a much more focused and smaller group of compromised routers. However Adamitis stated the day after the NCSC report, the group shortly ditched the malware method in favor of mass-altering the DNS settings on hundreds of susceptible routers.
“Before the last NCSC report came out they used this capability in very limited instances,” Adamitis instructed KrebsOnSecurity. “After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.”
