Russian military intelligence hackers (APT28/Forest Blizzard/Fancy Bear) exploited known vulnerabilities in end-of-life SOHO routers—primarily MikroTik and TP-Link devices—to hijack DNS settings and intercept Microsoft Office OAuth authentication tokens. At peak activity in December 2025, the campaign ensnared over 18,000 routers across more than 200 organizations and 5,000 consumer devices. By redirecting DNS to attacker-controlled servers, the group performed adversary-in-the-middle attacks on TLS connections, capturing auth tokens post-MFA without deploying any malware. The tactic is notably low-tech but highly effective, and researchers note the group rapidly scaled up this approach after a prior NCSC disclosure forced them to abandon a malware-based method.
Sort: