How Russian Hackers Exploited Old Routers to Hijack OAuth Tokens: A Technical Breakdown

Overview

In a sophisticated yet surprisingly low-tech espionage campaign, threat actors linked to Russia's GRU (known as Forest Blizzard, APT28, or Fancy Bear) have been exploiting outdated home and small office routers to stealthily harvest OAuth authentication tokens from Microsoft Office users. At its peak in December 2025, the operation compromised over 18,000 routers—primarily end-of-life MikroTik and TP-Link devices—affecting more than 200 organizations and 5,000 consumer devices. No malware was deployed; instead, attackers exploited known vulnerabilities to modify DNS settings, redirecting traffic to attacker-controlled servers that intercepted OAuth tokens after legitimate user authentication.

This guide explains the technical steps behind the attack, from identifying vulnerable routers to intercepting tokens, and provides actionable insights for defenders.

Prerequisites

Before diving into the attack mechanics, readers should have a basic understanding of:

• DNS (Domain Name System): How domain names resolve to IP addresses.
• OAuth 2.0: The token-based authentication framework used by Microsoft Office and many web services.
• Router configuration basics: Web interfaces, DNS settings, and firmware updates.
• Network security fundamentals: How MITM (Man-in-the-Middle) attacks work.

No specialized tools are required to follow along conceptually, but knowledge of command-line utilities like curl or nslookup is helpful for practical testing.

Step-by-Step Guide

Step 1: Identifying Vulnerable Routers

The attackers (Forest Blizzard) focused on routers that were either end-of-life or far behind on security patches. The primary targets were MikroTik and TP-Link devices marketed to small office/home office (SOHO) users. These devices often have known CVEs (e.g., CVE-2018-14847 for MikroTik WinBox, or unpatched TP-Link vulnerabilities) that allow remote configuration changes without authentication. Attackers scan the internet for such devices using Shodan or similar services, looking for exposed management interfaces on ports 80, 443, or 8291 (MikroTik WinBox).

Defender tip: Regularly check for firmware updates and disable remote management if not strictly needed.

Step 2: Exploiting Known Vulnerabilities Without Malware

Unlike many attacks that require implanting malicious code, Forest Blizzard used existing vulnerabilities to alter router configurations. For example, on MikroTik routers, the attackers could exploit the WinBox vulnerability to gain admin access and then modify DNS settings via the router's web interface or CLI (SSH). No files were dropped; only configuration changes were made. This made detection difficult because no antivirus or EDR would trigger.

Example (conceptual): Using a script to change the DNS server list on a MikroTik router:
/ip dns set servers=198.51.100.1,198.51.100.2
(The IPs shown are hypothetical; real attackers used specific attacker-controlled VPS.)

Step 3: Modifying DNS Settings to Point to Attacker-Controlled Servers

Once inside the router, attackers changed the DNS resolver settings from the default (e.g., Google 8.8.8.8 or ISP-provided) to DNS servers they controlled. These servers were hosted on virtual private servers (VPS) under the attackers' control. The modified DNS settings applied to all devices on the local network, including computers, phones, and IoT devices. The attackers didn't need to compromise individual endpoints—they simply poisoned the network's DNS.

Verification step: After the change, a user's system would, for example, resolve login.microsoftonline.com to an attacker's IP instead of Microsoft's.

Step 4: DNS Hijacking to Intercept Traffic

With DNS control, attackers could redirect requests for legitimate domains to phishing sites or proxy servers. For instance, when a user tried to access Microsoft's authentication endpoint (https://login.microsoftonline.com), their browser would be redirected to a malicious server that mimicked the real login page. The attacker's server would then proxy the request to Microsoft, capture the OAuth token returned after successful login, and forward it to the attacker.

This DNS hijacking allowed the attackers to silently siphon OAuth tokens without users noticing anything unusual. The token is normally transmitted in HTTP headers (e.g., Authorization: Bearer <token>) and is sent after the user authenticates. Since the attacker's DNS controlled the resolution, the token went through their server before reaching Microsoft.

Step 5: Intercepting OAuth Tokens at Scale

OAuth tokens are the keys to the kingdom. Once the attacker obtained a token, they could impersonate the user in Microsoft Office services, accessing email, files, and other cloud resources. The attack scale is impressive: over 18,000 routers were compromised, affecting 200+ organizations (mostly government ministries of foreign affairs, law enforcement, and third-party email providers) and 5,000 consumer devices.

The tokens were harvested in real-time as users logged in. Because the token is typically valid for several hours (or renewed via refresh token), the attackers could maintain persistent access.

Common Mistakes to Avoid

1. Using default or weak router credentials: Many SOHO routers ship with admin/admin or similar defaults. Attackers easily brute-force or use default passwords to gain access.
2. Neglecting firmware updates: End-of-life routers no longer receive patches, making them low-hanging fruit. Always update or replace unsupported hardware.
3. Assuming small office routers are low-risk: Even home routers can be entry points to sensitive data if used for work or accessing corporate services.
4. Ignoring DNS monitoring: Organizations often focus on endpoint security but neglect network-level logging. A sudden change in DNS resolution patterns can be an early indicator of compromise.
5. Overlooking token expiration policies: Even if tokens are stolen, shorter lifespans and strict refresh token policies can limit the damage. Ensure your OAuth implementation uses proper expiration and rotation.

Summary

Forest Blizzard's attack demonstrates that sophisticated state-sponsored hacking doesn't always require custom malware or zero-day exploits. By targeting outdated routers and abusing DNS hijacking, they stole OAuth tokens from thousands of networks affecting hundreds of organizations. Understanding this attack chain underscores the importance of router hygiene, network monitoring, and robust OAuth security practices. Regular firmware updates, strong passwords, and DNS-level anomaly detection are critical defenses against such stealthy token theft campaigns.