Russia Hacked Routers to Steal Microsoft Office Tokens

The Forest Blizzard campaign underscores a resurgence of old‑school network exploitation, leveraging known flaws in legacy Mikrotik and TP‑Link routers to rewrite DNS records. By steering DNS queries to attacker‑controlled servers, the group created a silent man‑in‑the‑middle (AiTM) channel that captured OAuth tokens after users completed multi‑factor authentication. This method sidesteps traditional phishing or malware delivery, allowing threat actors to harvest credentials at scale with minimal detection footprints.

Beyond the technical novelty, the incident has geopolitical reverberations. APT28, historically tied to Russian election interference, is now targeting government ministries, law‑enforcement agencies, and email providers, raising concerns about espionage on critical state functions. The U.S. Federal Communications Commission’s decision to cease certification of foreign‑made consumer routers reflects a broader policy shift toward supply‑chain hardening, aiming to eliminate the low‑cost hardware that enables such attacks. Industry analysts warn that similar tactics could soon migrate to IoT devices, expanding the attack surface.

Looking forward, organizations must prioritize router firmware hygiene, enforce strict network segmentation, and adopt DNS security extensions (DNSSEC) to validate query integrity. Continuous monitoring for anomalous DNS traffic and rapid patching of end‑of‑life equipment are essential defenses. As regulators tighten hardware standards, enterprises should evaluate procurement policies to favor domestically certified devices, reducing reliance on vulnerable foreign‑manufactured routers and mitigating the risk of large‑scale token theft.