Russian Intelligence Unit Forest Blizzard Uses DNS Hijacking to Mass Harvest Microsoft Tokens

What happened

Hackers linked to Russia's military intelligence units have been using known vulnerabilities in older internet routers to mass-harvest authentication tokens from Microsoft Office users. Security experts from Microsoft and Black Lotus Labs, a division of Lumen, warned that the spying campaign allowed state-backed actors to quietly siphon tokens from users on more than 18,000 networks. The operation was carried out without deploying any malicious software or code on the targeted user devices.

What's new in this update

New disclosures from Microsoft and Lumen reveal the technical specifics of a campaign attributed to 'Forest Blizzard,' also known as APT28 or Fancy Bear. Microsoft identified more than 200 organizations and 5,000 consumer devices caught up in the network. While the use of Small Office/Home Office (SOHO) devices for spying is not a new tactic, Microsoft noted this is the first time they have observed this specific actor using DNS hijacking at this scale to support adversary-in-the-middle (AiTM) attacks against Transport Layer Security (TLS) connections.

Key details

The attackers targeted older Mikrotik and TP-Link routers that were either end-of-life or lacked recent security updates. By modifying the Domain Name System (DNS) settings of these routers, the GRU-linked hackers redirected traffic to virtual private servers under their control. This allowed them to intercept OAuth authentication tokens transmitted after a user had already completed a successful login and multi-factor authentication (MFA) process, granting the hackers direct access to the accounts.

Background and context

Forest Blizzard is a notorious threat actor within Russia's General Staff Main Intelligence Directorate (GRU). The group has a history of high-profile political interference, including the 2016 compromises of the Democratic National Committee and the Hillary Clinton campaign. Security researchers describe this latest campaign as a 'graybeard' approach—using foundational internet protocols like DNS rather than sophisticated malware to achieve espionage goals.

What to watch next

Following the public exposure of the infrastructure and techniques used in this campaign, security analysts are monitoring how Forest Blizzard will adapt its tactics. The U.K.’s National Cyber Security Centre (NCSC) has released a new advisory detailing the compromise, urging organizations to secure or replace legacy edge devices. The case highlights a persistent risk in the SOHO market where older, unsupported hardware remains a primary vector for state-sponsored surveillance.