Massive OAuth Token Harvesting Campaign by Russian GRU Hackers Exposed: 18,000 Routers Hijacked

Breaking: Russian Hackers Steal Microsoft Office Tokens via Router Hijacking

Russian military intelligence hackers have compromised over 18,000 internet routers to secretly harvest authentication tokens from Microsoft Office users, security researchers warned today. The campaign, attributed to the GRU-linked threat group Forest Blizzard (also known as APT28 or Fancy Bear), targeted government agencies, law enforcement, and email providers worldwide.

Microsoft identified more than 200 organizations and 5,000 consumer devices caught in the surveillance dragnet, which peaked in December 2025. The hackers exploited known vulnerabilities in outdated routers—mostly MikroTik and TP-Link devices—to reroute traffic without installing malware.

"The GRU hackers didn't need to install malware on the targeted routers," said Ryan English, a security engineer at Black Lotus Labs, Lumen's security division. "Instead, they modified DNS settings to redirect users to malicious sites that stole OAuth tokens."

The stolen OAuth tokens allowed attackers to silently intercept authentication data after users had successfully logged in, bypassing typical security measures. The U.K.'s National Cyber Security Centre (NCSC) issued a separate advisory detailing the DNS hijacking technique used.

Background on Forest Blizzard and GRU Activities

Forest Blizzard, also known as APT28, is a cyber-espionage unit tied to Russia's General Staff Main Intelligence Directorate (GRU). The group gained notoriety for interfering in the 2016 U.S. presidential election by hacking the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee.

In this latest operation, the hackers exploited end-of-life routers that were unsupported or far behind on security patches. Black Lotus Labs reported that the attackers reconfigured the Domain Name System (DNS) settings on compromised routers to point to their own controlled servers.

What This Means: OAuth Token Theft and Supply Chain Risks

"This campaign highlights a critical weakness in how authentication tokens are transmitted," English explained. "Since OAuth tokens are sent after login, compromising the network layer allows attackers to capture them without user awareness."

The breach affects not only individual consumers but also government and corporate networks connected to the infected routers. Over 5,000 consumer devices and 200 organizations were directly impacted, but the true reach could be wider as tokens from additional downstream users may have been intercepted.

Security experts urge organizations to immediately patch or replace outdated routers, and to use certificate-based authentication where possible. The NCSC recommends monitoring for unusual DNS queries and implementing multi-factor authentication as an additional layer of defense.

For more on the technical details, see the Background section. Microsoft and Lumen continue to investigate, but the GRU's reliance on simple yet effective network compromises underscores the persistent threat from state-backed hacking groups.