Hackers linked to Russia’s military intelligence units are exploiting known flaws in older Internet routers to mass harvest authentication tokens from **Microsoft Office** users, security experts warned. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code. **Microsoft** stated that it identified more than 200 organizations and 5,000 consumer devices caught up in a stealthy spying network built by **Forest Blizzard** in a recent blog post.  Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016. Researchers at **Black Lotus Labs**, a security division of the Internet backbone provider **Lumen**, discovered that at its peak in December 2025, Forest Blizzard’s surveillance impacted more than 18,000 Internet routers, primarily unsupported, end-of-life routers, or devices lacking recent security updates. The hackers primarily targeted government agencies, including ministries of foreign affairs, law enforcement, and third-party email providers. Black Lotus Security Engineer **Ryan English** explained that the GRU hackers did not need to install malware on the targeted routers, which were mainly older **Mikrotik** and **TP-Link** devices marketed to the Small Office/Home Office (SOHO) market. Instead, they exploited known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers. The U.K.’s **National Cyber Security Centre** (NCSC) detailed in a new advisory how Russian cyber actors have been compromising routers. DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, bad actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information. English stated that the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to virtual private servers controlled by the attackers. The attackers could then propagate their malicious DNS settings to all users on the local network, and from that point forward intercept any OAuth authentication tokens transmitted by those users.  Because those tokens are typically transmitted only *after* the user has successfully logged in and gone through multi-factor authentication, the attackers could gain direct access to victim accounts without ever having to phish each user’s credentials and/or one-time codes. "Everyone is looking for some sophisticated malware to drop something on your mobile devices or something," English said. "These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done." Microsoft refers to the Forest Blizzard activity as using DNS hijacking “to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.” The software giant said while targeting SOHO devices isn’t a new tactic, this is the first time Microsoft has seen Forest Blizzard using “DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.” Black Lotus Labs engineer **Danny Adamitis** said it will be interesting to see how Forest Blizzard reacts to today’s flurry of attention to their espionage operation, noting that the group immediately switched up its tactics in response to a similar **NCSC** report in August 2025. At the time, Forest Blizzard was using malware to control a far more targeted and smaller group of compromised routers. But Adamitis said the day after the NCSC report, the group quickly ditched the malware approach in favor of mass-altering the DNS settings on thousands of vulnerable routers. "Before the last NCSC report came out they used this capability in very limited instances," Adamitis told KrebsOnSecurity. "After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable." TP-Link was among the router makers facing a potential ban in the United States. But on March 23, the **U.S. Federal Communications Commission** (FCC) took a much broader approach, announcing it would no longer certify consumer-grade Internet routers that are produced outside of the United States. The FCC warned that foreign-made routers had become an untenable national security threat, and that poorly-secured routers present “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.” Experts have countered that few new consumer-grade routers would be available for purchase under this new FCC policy (besides maybe Musk’s Starlink satellite Internet routers, which are produced in Texas). The FCC says router makers can apply for a special “conditional approval” from the Department of War or Department of Homeland Security, and that the new policy does not affect any previously-purchased consumer-grade routers.