Russia's GRU-Linked 'Forest Blizzard' Hacks Routers to Steal Microsoft Office Tokens from 18,000+ Networks

Russian military intelligence hackers have executed a stealthy, large-scale espionage campaign by exploiting old router vulnerabilities to steal Microsoft Office authentication tokens from users on more than 18,000 networks. The operation, attributed to the GRU-linked group known as Forest Blizzard (or APT28/Fancy Bear), required no malware deployment, allowing it to siphon credentials quietly and at scale. Security experts warn this method represents a remarkably simple yet effective vector for state-backed digital espionage.

Microsoft has identified over 200 organizations and 5,000 consumer devices compromised in this campaign. The threat actors exploited known security flaws in older internet routers to intercept and redirect targeted DNS requests, enabling them to harvest authentication tokens directly from Microsoft Office users. This group, infamous for its past breaches of the Hillary Clinton campaign and the Democratic National Committee, continues to refine its techniques for intelligence gathering.

The campaign underscores a persistent threat to global network security, leveraging unpatched infrastructure to bypass traditional endpoint security. It signals ongoing pressure on organizations to secure not just endpoints but also the network hardware that forms the backbone of their internet connectivity. The operation's scale and simplicity highlight the risk posed by state-sponsored actors who can weaponize known vulnerabilities for broad, silent data collection.