Russia's APT28 Hijacks 18,000 SOHO Routers to Steal Microsoft OAuth Tokens at Scale

Russian state-sponsored hackers linked to the GRU's military intelligence units have been exploiting known vulnerabilities in outdated small office/home office (SOHO) routers to mass-harvest authentication tokens from Microsoft Office users, security researchers from Microsoft and Lumen's Black Lotus Labs disclosed today. The campaign, attributed to the threat actor known as Forest Blizzard (also APT28 or Fancy Bear), has ensnared over 18,000 routers and targeted more than 200 organizations, including government agencies, law enforcement bodies, and third-party email providers.

The attackers did not deploy any malware on the compromised devices. Instead, they exploited known vulnerabilities in end-of-life MikroTik and TP-Link routers to modify the Domain Name System (DNS) settings, redirecting traffic to attacker-controlled DNS servers. By intercepting DNS queries, the hackers could then perform adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections to Microsoft Outlook on the web domains, capturing OAuth authentication tokens after users had already completed multi-factor authentication and multi-factor authentication had already been completed.

"Everyone is looking for some sophisticated malware to drop something on your mobile devices or something," said Ryan English, a security engineer at Black Lotus Labs. "These guys didn't use malware. They did this in an old-school, graybeard way that isn't really sexy but it gets the job done." The technique allowed the attackers to gain persistent access to victim accounts without ever needing to phish credentials or one-time codes.

Microsoft noted that while targeting SOHO devices is not a new tactic, this is the first time it has observed Forest Blizzard using DNS hijacking at scale to support AiTM attacks on TLS connections at such scale. The campaign has been active since at least December 2025, with peak activity ensnaring over 18,000 routers, mostly unsupported or far behind on security updates. The attackers propagated malicious DNS settings to all users on the local network, enabling broad interception of authentication tokens.

The U.K.'s National Cyber Security Centre (NCSC) also released a new advisory detailing how Russian cyber actors have been compromising routers. Black Lotus Labs engineer Danny Adamitis noted that Forest Blizzard quickly adapted its tactics after a similar NCSC report in August 2025. Prior to that report, the group used malware to control a smaller, more targeted set of routers. The day after the NCSC report, they abandoned the malware approach and began mass-altering DNS settings on thousands of vulnerable routers' DNS settings.

The disclosure comes amid heightened scrutiny of foreign-made routers. On March 23, the U.S. Federal Communications Commission (FCC) announced it would no longer certify consumer-grade routers produced outside the United States, citing national security risks. The FCC warned that poorly secured routers present "a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure." Experts have countered that the policy could severely limit router availability, as few consumer-grade routers are manufactured domestically.

This campaign marks a significant evolution in APT28's tradecraft, demonstrating a shift toward low-noise, infrastructure-level attacks that bypass traditional endpoint defenses. By compromising the network edge rather than individual devices, the group achieved persistent access across thousands of organizations without triggering malware alerts. The incident underscores the critical importance of patching and replacing end-of-life networking equipment, as well as the need for organizations to monitor DNS configuration changes as a key indicator of compromise.