Ethical Hacking News
Hackers linked to Russia's military intelligence units have been exploiting known vulnerabilities in older Internet routers to mass-harvest authentication tokens from Microsoft Office users, according to a recent report by security experts at Black Lotus Labs. This sophisticated yet straightforward technique allows state-backed Russian hackers to infiltrate networks without deploying any malicious software or code, making it an especially concerning development for organizations and individuals relying on these digital tools.
Russian hackers linked to military intelligence units have been exposed using a clandestine operation by Black Lotus Labs. The APT 28 group, also known as Fancy Bear or Forest Blizzard, is exploiting vulnerabilities in older Internet routers to gain access to sensitive authentication tokens. Forest Blizzard's mass-harvesting approach allows them to bypass traditional security measures and gain direct access to sensitive information without phishing attempts. Over 18,000 internet routers were compromised at the height of Forest Blizzard's activity in December 2025. The attackers exploited known vulnerabilities in these routers to alter their DNS settings and intercept OAuth authentication tokens. The operation relies on a "graybeard" approach that exploits well-known vulnerabilities rather than introducing new malicious code. The implications of this operation are significant, with potential targets including sensitive data, phishing campaigns, and full-scale cyber attacks using stolen credentials.
In a shocking turn of events, researchers at Black Lotus Labs have exposed a clandestine operation by Russian hackers linked to the military intelligence units within the General Staff Main Intelligence Directorate (GRU). This operation, attributed to the notorious APT 28 group also known as Fancy Bear or Forest Blizzard, relies on exploiting the vulnerabilities of older Internet routers to gain access to sensitive authentication tokens stored in Microsoft Office users.
According to Danny Adamitis, Black Lotus Labs engineer and expert on cybersecurity threats, this particular campaign represents a significant departure from the more targeted and sophisticated methods typically employed by hackers. Instead, Forest Blizzard has opted for a mass-harvesting approach, utilizing known flaws in older routers to hijack DNS settings that allow them to intercept OAuth authentication tokens transmitted by users.
These tokens, which are essential for securing online accounts using multi-factor authentication, can be accessed without the user's knowledge or consent once they have been intercepted. This makes the Forest Blizzard operation particularly insidious, as it enables hackers to bypass traditional security measures and gain direct access to sensitive information without ever needing to engage in phishing attempts.
The specifics of this campaign are quite staggering. Researchers at Black Lotus Labs found that Forest Blizzard had managed to compromise more than 18,000 Internet routers at the height of its activity in December 2025. These routers were mostly unsupported, end-of-life devices or those far behind on security updates. The attackers exploited known vulnerabilities in these routers to alter their DNS settings, redirecting them towards DNS servers controlled by the hackers.
Once the DNS settings had been hijacked, Forest Blizzard was able to propagate their malicious DNS settings throughout local networks, intercepting any OAuth authentication tokens transmitted by users connected to those networks. This allowed the hackers to gain direct access to victim accounts without ever needing to obtain login credentials or one-time codes.
What is perhaps most striking about this operation is its reliance on an "old-school" technique that has been around for years. Rather than employing some cutting-edge malware, Forest Blizzard opted for a straightforward DNS hijacking attack. According to Ryan English, Black Lotus Security Engineer, the hackers effectively utilized a "graybeard" approach that relies on exploiting well-known vulnerabilities rather than introducing new malicious code.
The implications of this operation are significant. With the ability to intercept OAuth authentication tokens, Forest Blizzard has opened itself up to a wide range of potential targets. The attackers could use this access to gain control over sensitive data, conduct targeted phishing campaigns, or even launch full-scale cyber attacks using stolen credentials.
This particular attack also represents an especially concerning development for organizations relying on Microsoft Office tools. As highlighted by the recent NCSC report, Forest Blizzard's DNS hijacking operation allows hackers to intercept authentication tokens from users connected to vulnerable routers. This raises significant concerns about the security of these digital tools and highlights the importance of keeping software up-to-date.
To mitigate this risk, security experts recommend that individuals and organizations take several steps. Firstly, it is essential to ensure that all software is kept up-to-date, including operating systems and security software. Secondly, utilizing a reputable antivirus program can help detect and prevent DNS hijacking attacks in the first place.
Furthermore, implementing robust security measures such as two-factor authentication can significantly reduce the risk of this type of attack. Organizations should also ensure that their network configuration is secure, with all devices protected by strong passwords and up-to-date antivirus software.
Ultimately, this latest development underscores the importance of staying vigilant in the face of evolving cyber threats. By understanding how hackers operate and taking proactive steps to protect our digital assets, we can significantly reduce the risk of falling victim to sophisticated operations like Forest Blizzard's DNS hijacking campaign.
Related Information:
https://www.ethicalhackingnews.com/articles/Exploiting-the-Unseen-Russias-DNS-Hijacking-Campaign-Through-Vulnerable-Routers-ehn.shtml
https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/
https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108
https://www.theregister.com/2026/04/07/russia_fancy_bear_ncsc_router_attack/
https://www.computerweekly.com/news/366641403/Russian-cyber-spies-targeting-consumer-Soho-routers
https://attack.mitre.org/groups/G0007/
https://www.threatintelreport.com/2026/02/20/threat_actor_profiles/threat-actor-profile-apt28/
Published: Tue Apr 7 14:27:36 2026 by llama3.2 3B Q4_K_M
