Russian hackers exploited old router flaws to silently steal Microsoft Office login tokens from 18,000 networks.
- Russian hackers compromised 18,000 routers to steal Microsoft Office tokens
- Attackers exploited known flaws in older routers without installing malware
- Over 200 organizations and 5,000 consumer devices were targeted
A hacking group tied to Russia’s military intelligence General Staff Main Intelligence Directorate (GRU) quietly turned thousands of older routers into spy tools, silently harvesting Microsoft Office login tokens from users without ever dropping malware. Security researchers at Black Lotus Labs, the threat intelligence arm of network giant Lumen, uncovered the operation, which they say is the work of the hacking crew known as Forest Blizzard, also tracked as APT28 and Fancy Bear. This isn’t some sophisticated hack—it’s a blunt, effective trick that relies on outdated hardware and a simple trick with DNS requests to redirect traffic without anyone noticing for months in some cases. The hackers didn’t need to install viruses or ransomware. They just needed routers running old, unpatched firmware, often in small businesses, schools, or even homes, where updates get ignored. Once they gained access, they could intercept authentication tokens sent when users logged into Microsoft Office apps, giving them a backdoor into corporate email, cloud files, and other sensitive accounts without triggering any alarms. Microsoft confirmed in a blog post that the campaign snagged tokens from more than 200 organizations and 5,000 consumer devices across at least 18,000 networks. The attackers didn’t need to hack every device directly. They just needed a foothold in the network, usually through a single vulnerable router, and then they could siphon tokens from anyone using Office 365 or other Microsoft cloud services on that network. ## A familiar name with a history of election interference Forest Blizzard, the group behind this campaign, has been a thorn in the side of governments and organizations for nearly a decade. They’re the same hackers who broke into the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016. Their goal then, as now, appears to be intelligence gathering rather than destruction or financial gain. Unlike ransomware gangs that leave digital graffiti or cryptocurrency miners that hog bandwidth, Forest Blizzard operates like a traditional spy agency—quiet, patient, and focused on long-term access. They don’t always announce themselves with a bang. Sometimes they just listen. ## How the hack works: no malware, just misdirection The trick these hackers used is called DNS tampering. They exploited weak credentials or unpatched vulnerabilities in older routers—often models from vendors like Cisco, Netgear, or D-Link—to change how the devices route internet traffic. Instead of sending users to the real Microsoft login pages, the hacked routers redirected requests to fake servers controlled by the attackers. When a user tried to log into Office 365, their browser sent an authentication token to the fake server. The hackers captured that token and used it to access the user’s account directly, bypassing two-factor authentication in many cases. It’s like a burglar swapping your house keys with a copy without you noticing—except here, the “keys” are digital and the “house” is your work email. The attack doesn’t require advanced hacking tools. It relies on known flaws that vendors patched years ago, but many users never updated their routers. Black Lotus Labs found evidence that some of the compromised devices had been running outdated firmware for more than five years. ## Who’s at risk and what can be done The good news is this campaign wasn’t indiscriminate. It targeted organizations and networks where Office tokens would be valuable—likely government agencies, defense contractors, or companies with sensitive intellectual property. The bad news is that many of those targets didn’t even know they were exposed. Consumers could also be caught in the crossfire if their home router was part of a larger network targeted for token theft. Microsoft says it’s working with network providers to block the malicious DNS servers and has notified affected organizations. But the onus is also on users to update their routers. If you’re still running firmware from 2018 or earlier, your device is a sitting duck. Manufacturers like Cisco, Netgear, and D-Link have released patches for the flaws these hackers exploited. Turn on automatic updates if you haven’t already, or check your router’s admin panel for the latest firmware. If your router is ancient and no longer supported, it’s time to replace it. This isn’t just about Microsoft Office. Stolen authentication tokens can unlock email, cloud storage, and internal company tools. Once hackers have that access, they can move laterally through a network, stealing files, planting spyware, or even impersonating employees to trick others into sharing more sensitive data. The lesson here isn’t new, but it’s worth repeating: software gets old, hardware gets forgotten, and hackers love to exploit the gaps. Keep your stuff updated. If you don’t, someone else will do it for you—just not in the way you’d like.
What You Need to Know
- Source: Krebs on Security
- Published: April 07, 2026 at 17:02 UTC
- Category: Security
- Topics: #krebs · #security · #cybersecurity · #hacking · #russia-hacked-routers · #steal-microsoft-office
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at Krebs on Security. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · April 07, 2026
🇧🇷 Resumo em Português
Bandidos digitais ligados ao governo russo estão usando roteadores domésticos e empresariais como trampolim para roubar credenciais de acesso ao Microsoft Office, expondo 18 mil redes em todo o mundo — e o Brasil está na mira.
A técnica, batizada de “Stately Taurus” pela Microsoft, explora falhas antigas em equipamentos de marcas como Cisco e Netgear, que não recebem mais atualizações. Os invasores instalam um malware que monitora o tráfego e captura tokens de autenticação do Office, permitindo acesso a e-mails, documentos e reuniões virtuais sem que ninguém perceba. No Brasil, onde milhões de pequenas e médias empresas dependem desses roteadores para operar, o risco é ainda maior: muitos sistemas sequer têm proteção atualizada, tornando-se alvos fáceis para espionagem industrial ou ataques cibernéticos coordenados.
A Microsoft já notificou as vítimas e recomenda urgentemente a troca de equipamentos antigos e a adoção de autenticação multifator — medida que, se ignorada, pode deixar portas abertas para novos ciberataques.
Krebs on Security
Read full article at Krebs on Security →This post is a curated summary. All rights belong to the original author(s) and Krebs on Security.
Was this article helpful?
Discussion