Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 15, 2026 · 6 min read

Russia Hijacked 18,000 Home Routers to Steal Microsoft Office Tokens—No Malware Required

Forest Blizzard, the GRU hacking unit behind the 2016 DNC breach, changed one setting on thousands of home routers to intercept authentication tokens from government agencies and law enforcement.

A home router with blinking lights on a desk while shadowy figures intercept data streams flowing from it

What Happened

Russian military intelligence operatives compromised over 18,000 home and small office routers to intercept Microsoft Office authentication tokens from government agencies, foreign affairs ministries, and law enforcement organizations. The campaign, disclosed on April 7, 2026, by Microsoft and Lumen Technologies' Black Lotus Labs, required no malware installation on victim devices.

The threat group behind the operation is Forest Blizzard, also tracked as APT28 and Fancy Bear. They are attributed to Russia's GRU military intelligence directorate and are the same unit that targeted the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee during the 2016 US presidential election.

How the Attack Worked

The technique was remarkably simple. Forest Blizzard exploited known vulnerabilities in older MikroTik and TP-Link routers to gain administrative access, then changed a single setting: the DNS server configuration. Instead of pointing to legitimate DNS resolvers, the compromised routers directed all traffic through attacker controlled DNS servers.

This allowed the group to perform man in the middle attacks against TLS connections to Microsoft's authentication servers. When a user on a compromised network logged into Outlook or other Office applications, the router silently redirected their connection through a server that captured the OAuth authentication token. With that token, the attackers could access the victim's email, documents, and other Microsoft 365 services without needing their password.

"They did this in an old school, graybeard way that is not really sexy but it gets the job done," noted Ryan English, an engineer at Black Lotus Labs. The attack chain required victims to click past a certificate warning to complete the compromise, but in practice this proved effective against enough targets to make the campaign worthwhile.

The Scale

Microsoft identified over 200 organizations and 5,000 consumer devices affected by the campaign. At its peak in December 2025, the operation had compromised more than 18,000 routers across multiple countries. The primary targets were government agencies, including foreign affairs ministries and law enforcement bodies.

The attackers demonstrated an ability to adapt rapidly. In August 2025, the UK's National Cyber Security Centre published a report documenting similar Forest Blizzard activity that used malware on compromised devices. Within 24 hours of that disclosure, the group abandoned its malware based approach entirely and shifted to mass DNS reconfiguration, a technique that leaves almost no forensic evidence on the router itself.

Why Home Routers Are the Weak Link

Most home routers run firmware that is never updated. Many use default administrative credentials. Their owners have no way to detect a DNS settings change, and no monitoring tools that would flag suspicious traffic patterns. For state sponsored attackers, they represent an enormous, largely undefended attack surface.

This is not the first time compromised routers have been used for espionage. Chinese state hackers planted sleeper backdoors in telecom networks using similar router compromises. The pattern is consistent: nation state attackers are increasingly targeting network infrastructure that sits outside the security perimeter of the organizations they ultimately want to reach.

On March 23, 2026, the FCC announced a ban on foreign made consumer routers, a regulatory response directly tied to the scale of router based espionage campaigns. But the ban does not address the millions of vulnerable devices already deployed in homes and offices.

What to Do

Whether you work from home, use a personal device for email, or administer network infrastructure, these steps reduce your exposure:

  • Update your router firmware. Check your manufacturer's website for the latest version. If your router no longer receives updates, replace it
  • Change default admin credentials. Use a strong, unique password for your router's administrative interface
  • Check your DNS settings. Log into your router and verify that the DNS servers are set to a trusted provider (your ISP, Cloudflare 1.1.1.1, or Google 8.8.8.8). If you see unfamiliar addresses, your router may be compromised
  • Never click past certificate warnings. If your browser warns that a site's certificate is invalid, do not proceed. This is exactly the warning that would have protected victims in this campaign
  • Use a VPN on untrusted networks. A VPN encrypts your traffic independently of the router's DNS settings, making DNS hijacking attacks ineffective

The Forest Blizzard campaign is a reminder that the most effective attacks do not always require the most sophisticated tools. A single DNS setting change on a home router was enough to give Russian intelligence access to government email accounts. The growing pattern of state sponsored attacks on communication infrastructure makes network hygiene a matter of national security, not just personal convenience.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.