How Russian Hackers Hijacked Routers to Steal Microsoft Authentication Tokens: A Step-by-Step Breakdown

Introduction

In a stealthy cyber‑espionage campaign, hackers linked to Russia's GRU military intelligence—known as Forest Blizzard (also APT28 or Fancy Bear)—compromised thousands of outdated home and small‑office routers. By manipulating DNS settings on these devices, they silently intercepted OAuth authentication tokens, gaining persistent access to Microsoft Office and other cloud services without deploying any malware on the victim's devices. This step‑by‑step guide explains exactly how the attackers executed the operation, based on reports from Microsoft, Lumen’s Black Lotus Labs, and the UK’s National Cyber Security Centre (NCSC). Understanding the attack chain is critical for defenders to harden networks against similar threats.

How Russian Hackers Hijacked Routers to Steal Microsoft Authentication Tokens: A Step-by-Step Breakdown — Source: krebsonsecurity.com

What You Need

Vulnerable routers – Unsupported, end‑of‑life models (especially older MikroTik and TP‑Link SOHO devices) or routers running outdated firmware.
Known exploits for those routers – Publicly disclosed vulnerabilities that allow remote attackers to change router configuration without authentication.
Attacker‑controlled DNS servers – Set up on virtual private servers (VPS) to intercept and modify DNS queries.
Target networks – Government agencies (foreign ministries, law enforcement), third‑party email providers, and other organizations that use Microsoft Office and rely on OAuth for authentication.
OAuth token interception capability – Ability to capture and relay tokens transmitted after successful user login, often over HTTP redirected to attacker proxies.

Step‑by‑Step Attack Process

Step 1: Identify Vulnerable Routers on the Target Network

The attackers scanned the internet for routers with known, unpatched flaws. They focused on models nearing or past their end‑of‑life—especially older MikroTik and TP‑Link devices widely used in small offices and home offices. These devices often lack security updates and are easy to compromise. Once found, the router’s IP address and open ports were recorded for the next step.

Step 2: Exploit Known Vulnerabilities to Gain Configuration Access

Using publicly available exploit code (e.g., for CVE‑2018‑14847 on MikroTik, or typical TP‑Link backdoors), the attackers remotely accessed the router’s administration interface. Critically, they did not install malware—they only needed to change a few configuration settings. The router continued to function normally, making detection difficult.

Step 3: Modify DNS Server Settings to Point to Attacker‑Controlled Servers

Once inside the router, the hackers changed the Domain Name System (DNS) configuration. They replaced the legitimate DNS servers (like those from the ISP or public DNS providers) with IP addresses of VPS instances they controlled. Because DNS is responsible for translating human‑readable domain names (e.g., login.microsoftonline.com) into IP addresses, the router now directed all DNS queries to the attacker’s servers.

Step 4: Propagate Rogue DNS to All Devices on the Local Network

The modified DNS settings applied automatically to every device connected to the compromised router—laptops, phones, printers, and Internet of Things (IoT) devices. No user interaction was required. The attackers now effectively controlled how all local machines resolved domain names for Microsoft and other services.

Step 5: Intercept OAuth Authentication Tokens

When a user on the network visited a Microsoft Office login page (e.g., https://login.microsoftonline.com/), the attacker’s DNS server returned a malicious IP address—often a proxy that looked like the real Microsoft server. The user successfully logged in via OAuth, and the proxy captured the OAuth token that was supposed to be sent only over an encrypted TLS connection. The attackers could then replay this token to impersonate the user and access their email, documents, and cloud apps without needing passwords or multi‑factor authentication.

Step 6: Scale the Campaign Across Thousands of Routers

The attackers automated the process. At the peak in December 2025, Forest Blizzard had ensnared more than 18,000 routers across over 200 organizations and 5,000 consumer devices. The same DNS‑hijacking technique allowed them to harvest tokens for any service that used OAuth—not just Microsoft Office—as long as the token was transmitted over the hijacked network.

Step 7: Maintain Stealth and Persistence

Because the routers were left fully operational and the attackers only changed DNS settings, no unusual traffic patterns or malware signatures triggered alarms. The stolen tokens gave long‑term, credential‑less access. Victims may not notice until tokens expire or anomalous account activity appears in logs.

Tips for Protection

Replace end‑of‑life routers – Use modern devices that receive regular firmware updates. Avoid older MikroTik and TP‑Link models that are no longer supported.
Change default admin passwords and disable remote administration – Prevent attackers from easily accessing the router’s configuration interface from the internet.
Monitor DNS configuration changes – Set up alerts for modifications to router DNS settings. Many enterprise‑grade routers log configuration changes.
Use DNSSEC – Domain Name System Security Extensions help ensure DNS responses come from legitimate servers, making hijacking harder.
Enable MFA with hardware tokens or app‑based authentication – OAuth token theft is less effective if the attacker also needs a physical second factor.
Regularly audit OAuth token usage – Look for tokens issued at odd times or from unexpected IP addresses.
Segment networks – Place critical devices on separate VLANs so a compromised router in one segment does not affect others.
Stay informed – Follow advisories from NCSC, Microsoft, and Lumen for the latest indicators of compromise.