Loading
July 2, 2026
Subscribe
July 2, 2026

How Russia’s APT28 Exploited Routers for Microsoft Token Theft

Russia’s APT28 Hacked 18,000 Routers to Steal Microsoft Office Tokens

In a sophisticated yet startlingly simple attack, Russia’s military intelligence hackers compromised over 18,000 Internet routers worldwide to steal Microsoft Office authentication tokens from over 200 organizations and 5,000 consumer devices. The campaign, attributed to Forest Blizzard (also known as APT28 or Fancy Bear), used no malware — just outdated router firmware and DNS hijacking.

If your organization uses Microsoft 365 or Outlook, this attack vector should be on your radar. Here’s everything you need to know about this nation-state espionage operation.

What you’ll learn:
– How the Forest Blizzard router attack works
– Why old SOHO routers are a massive security risk
– The AiTM (Adversary-in-the-Middle) technique explained
– How to protect your organization from DNS hijacking


Who is Forest Blizzard (APT28)?

Forest Blizzard is a threat actor attributed to Russia’s GRU (Main Intelligence Directorate of the General Staff). This is the same group behind some of the most infamous cyberattacks in history, including the 2016 attacks on the Democratic National Committee during the U.S. presidential election.

According to Microsoft, Forest Blizzard has been actively targeting governments, law enforcement agencies, and third-party email providers across multiple continents. This latest campaign represents a significant escalation in scale and methodology.

Understanding the Attack Chain

The attack didn’t rely on sophisticated zero-day exploits or custom malware. Instead, Forest Blizzard took advantage of a deceptively simple vulnerability: older SOHO (Small Office/Home Office) routers that haven’t been updated.

Real-world example: A mid-sized company in Europe had a 10-year-old TP-Link router serving 50 employees. That single outdated device became the entry point for state-sponsored hackers to intercept every Microsoft authentication token flowing through the network — without any employee clicking a phishing link.


How the Router Attack Works: DNS Hijacking at Scale

At its core, the Forest Blizzard campaign exploited the way routers handle DNS (Domain Name System) — the protocol that translates website names like “microsoft.com” into IP addresses.

Step 1: Identifying Vulnerable Routers

The attackers scanned the internet for older Mikrotik and TP-Link routers that were either end-of-life, unsupported, or simply behind on security updates. At its peak in December 2025, their botnet controlled more than 18,000 such devices.

Step 2: Modifying DNS Settings

Instead of installing malware (which would require exploiting specific firmware vulnerabilities), the attackers exploited known flaws to change the DNS servers configured on these routers. They pointed these routers to DNS servers controlled by the hackers.

Step 3: Intercepting Authentication Tokens

Once users on the compromised network logged into Microsoft Office or Outlook, their OAuth authentication tokens were routed through the attackers’ DNS infrastructure. Because these tokens are transmitted after multi-factor authentication, the attackers gained direct access to victim accounts without ever needing to phish credentials or one-time codes.

The key insight: Microsoft refers to this as a post-compromise Adversary-in-the-Middle (AiTM) attack. The TLS certificate warnings appear — but as the comments on the original report note, a significant percentage of users simply click through these warnings.


Why This Matters for Your Organization

1. No Malware = No Traditional Detection

Most security tools look for malicious software. Forest Blizzard deployed zero malware. They simply changed router settings. This means your endpoint detection, antivirus, and even many network security tools would never see the attack happening.

2. Router Security is Often Neglected

Small office and home office routers are typically set up once and forgotten. Few organizations have processes to:

  • Regularly check router firmware versions
  • Monitor DNS settings for unauthorized changes
  • Replace end-of-life networking equipment
  • Enable DNSSEC validation

3. The Chain is Only as Strong as the Weakest Link

Your organization could have world-class security — zero-trust architecture, conditional access, regular penetration testing — and still be compromised because someone plugged in a consumer-grade router that hasn’t been updated since 2018.


Mitigation Strategies: How to Protect Yourself

Immediate Actions

  • Audit your routers: Identify all networking equipment (especially older Mikrotik and TP-Link devices) and check their current firmware version
  • Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) on endpoints to encrypt DNS queries at the device level
  • Configure endpoints to block users from bypassing TLS certificate warnings — this is the critical step that makes AiTM attacks difficult
  • Implement Conditional Access with device compliance policies in Microsoft Entra

Network-Level Protections

  • Enable DNSSEC validation at the DNS resolver level
  • Monitor for unauthorized DNS server changes in router configurations
  • Consider deploying private DNS resolvers for corporate devices
  • Implement network segmentation to isolate critical authentication flows

Long-Term Security Hygiene

  • Replace end-of-life SOHO routers with enterprise-grade alternatives
  • Establish a router firmware update policy
  • Include networking equipment in your vulnerability management program
  • Conduct regular security awareness training — teach users NOT to click through certificate warnings

Government Response: The FCC Takes Action

On March 23, 2026, the U.S. Federal Communications Commission (FCC) announced it would no longer certify consumer-grade Internet routers produced outside the United States. The FCC cited these routers as a “severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure.”

While this is a step in the right direction, experts note that few consumer-grade routers would be available under this new rule — with the notable exception of Starlink routers, which are produced in Texas.


Conclusion

The Forest Blizzard campaign demonstrates a fundamental truth in cybersecurity: the simplest attacks are often the most effective. Nation-state actors don’t always need zero-days and custom malware. Sometimes, exploiting a 10-year-old router with a known vulnerability is all it takes.

The attack chain — from compromised router to stolen authentication tokens to account takeover — took advantage of three things: outdated firmware, users clicking through certificate warnings, and a lack of device-level DNS encryption.

The good news? All three of these are fixable. Audit your routers, enable certificate pinning, enforce Conditional Access, and educate your users. Don’t let your network be the weak link that gives APT28 a way in.

As security researcher Ryan English put it: “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”

Sometimes, the old-school approach is exactly what’s keeping security teams up at night.


About the Author

This article was written by Syed Adil Hussain, a cybersecurity professional passionate about securing digital infrastructure. Connect with him on LinkedIn or reach out at thecyberguy90@gmail.com for cybersecurity consulting, training, or collaboration.

Leave a Reply

Your email address will not be published. Required fields are marked *