APT28 Hijacked 18,000 SOHO Routers to Silently Steal Microsoft Office Auth Tokens | Threat Intel
Russia's Forest Blizzard (APT28/Fancy Bear) exploited known vulnerabilities in end of life MikroTik and TP Link routers to mass harvest Microsoft OAuth tokens…
Published on MyPrivateClaw
Apr 8, 2026, 8:58 AM UTC
Coverage date
Apr 8, 2026
Last updated
Apr 10, 2026, 11:35 AM UTC
News summary
No Malware Required In a campaign that security researchers are calling a masterclass in low noise espionage, Russia's military intelligence unit Forest Blizzard — also known as APT28 or Fancy Bear — compromised over 18,000 small office/home office (SOHO) routers to silently harvest Microsoft Office authentication tokens from more than 200 organizations and 5,000 consumer devices. The operation, active since at least August 2025 and peaking in December 2025, required no malware installation on target systems. Instead, the GRU linked hackers exploited known vulnerabilities in predominantly end of life MikroTik and TP Link routers to modify their DNS settings, redirecting traffic through attacker controlled servers. How the Attack Worked Black Lotus Labs, the security research division of Lumen Technologies, documented the attack chain in detail. The attackers reconfigured compromised rou…