Hackers linked to Russia’s army intelligence items are utilizing recognized flaws in older Web routers to mass harvest authentication tokens from Microsoft Workplace customers, safety consultants warned immediately. The spying marketing campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from customers on greater than 18,000 networks with out deploying any malicious software program or code.
Microsoft mentioned in a weblog put up immediately it recognized greater than 200 organizations and 5,000 shopper gadgets that had been caught up in a stealthy however remarkably easy spying community constructed by a Russia-backed risk actor referred to as “Forest Blizzard.”
How focused DNS requests had been redirected on the router. Picture: Black Lotus Labs.
Often known as APT28 and Fancy Bear, Forest Blizzard is attributed to the army intelligence items inside Russia’s Common Employees Primary Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton marketing campaign, the Democratic Nationwide Committee, and the Democratic Congressional Marketing campaign Committee in 2016 in an try and intervene with the U.S. presidential election.
Researchers at Black Lotus Labs, a safety division of the Web spine supplier Lumen, discovered that on the peak of its exercise in December 2025, Forest Blizzard’s surveillance dragnet ensnared greater than 18,000 Web routers that had been largely unsupported, end-of-life routers, or else far behind on safety updates. A new report from Lumen says the hackers primarily focused authorities companies—together with ministries of international affairs, regulation enforcement, and third-party electronic mail suppliers.
Black Lotus Safety Engineer Ryan English mentioned the GRU hackers didn’t want to put in malware on the focused routers, which had been primarily older Mikrotik and TP-Hyperlink gadgets marketed to the Small Workplace/Residence Workplace (SOHO) market. As an alternative, they used recognized vulnerabilities to switch the Area Identify System (DNS) settings of the routers to incorporate DNS servers managed by the hackers.
Because the U.Okay.’s Nationwide Cyber Safety Centre (NCSC) notes in a brand new advisory detailing how Russian cyber actors have been compromising routers, DNS is what permits people to achieve web sites by typing acquainted addresses, as an alternative of related IP addresses. In a DNS hijacking assault, unhealthy actors intervene with this course of to covertly ship customers to malicious web sites designed to steal login particulars or different delicate info.
English mentioned the routers attacked by Forest Blizzard had been reconfigured to make use of DNS servers that pointed to a handful of digital personal servers managed by the attackers. Importantly, the attackers might then propagate their malicious DNS settings to all customers on the native community, and from that time ahead intercept any OAuth authentication tokens transmitted by these customers.
DNS hijacking via router compromise. Picture: Microsoft.
As a result of these tokens are sometimes transmitted solely after the consumer has efficiently logged in and gone via multi-factor authentication, the attackers might achieve direct entry to sufferer accounts with out ever having to phish every consumer’s credentials and/or one-time codes.
“Everyone seems to be in search of some subtle malware to drop one thing in your cell gadgets or one thing,” English mentioned. “These guys didn’t use malware. They did this in an old-school, graybeard approach that isn’t actually attractive nevertheless it will get the job accomplished.”
Microsoft refers back to the Forest Blizzard exercise as utilizing DNS hijacking “to help post-compromise adversary-in-the-middle (AiTM) assaults on Transport Layer Safety (TLS) connections in opposition to Microsoft Outlook on the internet domains.” The software program big mentioned whereas concentrating on SOHO gadgets isn’t a brand new tactic, that is the primary time Microsoft has seen Forest Blizzard utilizing “DNS hijacking at scale to help AiTM of TLS connections after exploiting edge gadgets.”
Black Lotus Labs engineer Danny Adamitis mentioned it is going to be attention-grabbing to see how Forest Blizzard reacts to immediately’s flurry of consideration to their espionage operation, noting that the group instantly switched up its techniques in response to an analogous NCSC report (PDF) in August 2025. On the time, Forest Blizzard was utilizing malware to regulate a much more focused and smaller group of compromised routers. However Adamitis mentioned the day after the NCSC report, the group shortly ditched the malware method in favor of mass-altering the DNS settings on 1000’s of susceptible routers.
“Earlier than the final NCSC report got here out they used this functionality in very restricted situations,” Adamitis instructed KrebsOnSecurity. “After the report was launched they applied the aptitude in a extra systemic style and used it to focus on all the things that was susceptible.”
TP-Hyperlink was among the many router makers dealing with a whole ban in america. However on March 23, the U.S. Federal Communications Commission (FCC) took a wider method, asserting it might not certify consumer-grade Web routers which might be produced outdoors of america.
The FCC warned that foreign-made routers had turn into an untenable nationwide safety risk, and that poorly-secured routers current “a extreme cybersecurity danger that might be leveraged to instantly and severely disrupt U.S. important infrastructure and instantly hurt U.S. individuals.”
Consultants have countered that few new consumer-grade routers could be obtainable for buy beneath this new FCC coverage (apart from possibly Musk’s Starlink satellite tv for pc Web routers, that are produced in Texas). The FCC says router makers can apply for a particular “conditional approval” from the Division of Warfare or Division of Homeland Safety, and that the brand new coverage doesn’t have an effect on any previously-purchased consumer-grade routers.
