Russian military intelligence hackers, known as Forest Blizzard, are exploiting vulnerabilities in older home and office routers to steal Microsoft Office authentication tokens from over 18,000 global networks.

Key Points

• The hacking group, also known as APT28 or Fancy Bear, targeted over 200 organizations and 5,000 consumer devices.
• Attackers used DNS hijacking on unsupported Mikrotik and TP-Link routers to intercept OAuth tokens without deploying traditional malware.
• The campaign primarily targeted government agencies, law enforcement, and third-party email providers to gain unauthorized access to accounts.
• By bypassing multi-factor authentication through token theft, the group successfully conducted adversary-in-the-middle attacks on Microsoft Outlook web traffic.
• The U.S. Federal Communications Commission recently announced a policy to stop certifying foreign-made routers due to these escalating national security risks.

Why it Matters

This campaign highlights a significant shift toward exploiting low-security edge devices to bypass sophisticated multi-factor authentication protocols. By targeting infrastructure rather than individual endpoints, state-backed actors can maintain persistent, stealthy access to sensitive government and corporate communications.