The gist: Russian military intelligence compromised over 18,000 outdated routers through DNS manipulation to steal Microsoft Office tokens. Primary targets were government organizations worldwide. No malware required – only exploiting known security vulnerabilities.
Security researchers warn of a sophisticated espionage campaign orchestrated by Russian military intelligence. Hackers exploit security vulnerabilities in outdated internet routers to covertly steal authentication tokens from Microsoft Office users.
A Russian hacker group linked to the GRU military intelligence service has managed to steal authentication tokens from Microsoft Office users on a large scale. Microsoft reported today that security experts have identified over 200 organizations and 5,000 private devices compromised by the espionage operation of the group known as “Forest Blizzard.” Forest Blizzard, also known by the names APT28 and Fancy Bear, made headlines in 2016 through hacks against the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee.
The scope of the attack is remarkable: researchers at security firm Black Lotus Labs documented that the hackers compromised over 18,000 internet routers in December 2025 – predominantly outdated, no longer supported devices from manufacturers such as Mikrotik and TP-Link, designed for small offices and private users.
The attackers employed an elegant and inconspicuous method: instead of injecting malware, they manipulated the DNS settings of the routers and integrated their own servers. This allowed them to selectively redirect DNS queries and redirect users to fake websites. According to the analyses, the operation focused primarily on government institutions such as foreign ministries, law enforcement agencies, and external email services.