Introduction
In a sophisticated cyber espionage campaign, Russian military intelligence hackers—tracked as Forest Blizzard (also APT28 or Fancy Bear)—used compromised routers to silently harvest authentication tokens from Microsoft 365 (formerly Office 365) users. Instead of deploying malware on the targeted routers, they exploited known vulnerabilities to alter DNS settings, redirecting users to malicious servers that intercepted OAuth tokens. This guide breaks down the attack into clear, numbered steps, explaining the prerequisites, execution, and defensive measures. Understanding this method helps organizations and individuals recognize and mitigate similar threats.
What You Need to Understand This Attack
- Vulnerable Router Models: Older MikroTik and TP-Link devices (often end-of-life or unpatched) commonly used in small office/home office (SOHO) environments.
- Known Vulnerabilities: Unpatched flaws in router firmware that allow remote configuration changes without authentication.
- DNS Knowledge: Basic understanding of how Domain Name System (DNS) resolution works and how DNS settings can be hijacked.
- Attacker Infrastructure: Virtual private servers (VPS) controlled by the hackers to host fake DNS and authentication interception services.
- OAuth Tokens: These are short-lived credentials used by Microsoft 365 to grant access after a user logs in. Intercepting a token allows the attacker to impersonate the user without needing a password.
Step-by-Step Account of the Attack
Step 1: Identify and Access Vulnerable Routers
The hackers scanned the internet for routers running old firmware with known, publicly disclosed vulnerabilities. They focused on two vendor families: MikroTik and TP-Link, particularly models that were end-of-life or far behind on security updates. Using automated tools, they attempted to exploit default credentials or unpatched remote code execution flaws (e.g., CVE-2018-14847 for MikroTik). Successful exploitation gave them administrative control over the router without installing any malware—they could change configuration settings directly.
Step 2: Modify Router’s DNS Settings
Once inside the router’s web interface or command-line system, the attackers altered the DNS server settings. They replaced the legitimate DNS servers (e.g., from the ISP) with IP addresses pointing to their own virtual private servers. This change was made in the router’s DHCP configuration so that every device on the local network would automatically receive the rogue DNS server when requesting dynamic IP addresses.
Step 3: Configure Malicious DNS Servers
On their VPS, the hackers set up DNS servers that would respond to queries for Microsoft-related domains (e.g., login.microsoftonline.com, outlook.office365.com). Instead of returning the real IP address, the rogue DNS servers returned the IP of a server controlled by the hackers—one that ran a fake Microsoft authentication portal. This step ensured that any user trying to access Office 365 services would be redirected to the attacker’s malicious site.
Step 4: Intercept OAuth Authentication Tokens
When a user on the compromised network typed in their Office 365 email and password, the DNS hijack sent them to the fake login page. The fake page captured the credentials and then forwarded them to the real Microsoft server, completing the login. More critically, because OAuth tokens are transmitted after a successful login, the attacker’s server intercepted those tokens. Tokens are passed in HTTP headers or URL parameters, and the malicious server logged them silently. Once captured, the hackers could reuse the token to access the user’s Microsoft data (emails, files, etc.) without needing the password again, as the token provides short-lived but powerful access.
Step 5: Scale and Maintain Persistent Access
Forest Blizzard’s operation compromised over 18,000 routers by late 2025, affecting more than 200 organizations and 5,000 consumer devices. The hackers targeted government agencies, ministries of foreign affairs, law enforcement, and third-party email providers. By leaving the routers otherwise operational, they avoided detection—no malware, no unusual traffic spikes. They simply changed DNS settings, which are rarely monitored for integrity. The attack chain required no interaction with end-user devices; anyone connected to a compromised router was automatically at risk.
Tips to Defend Against This Type of Attack
- Keep Router Firmware Updated: Regularly check your router manufacturer’s website for security patches. Replace end-of-life devices that no longer receive updates.
- Change Default Admin Credentials: Use a strong, unique password for router administration. Disable remote administration if not needed.
- Monitor DNS Settings: Periodically log into your router and verify that DNS server addresses are legitimate (e.g., your ISP’s DNS or a trusted public DNS like Cloudflare’s 1.1.1.1).
- Use Network Segmentation: Separate sensitive devices (like work computers handling Office 365) from the rest of the network using VLANs or guest networks.
- Enable OAuth Token Binding: Microsoft supports token binding (now called Proof of Possession) that ties an OAuth token to a specific device. Enforce it to prevent token replay from an attacker’s server.
- Educate Users: Teach staff to verify the URL of login pages, especially if they suddenly see a different look or a certificate warning. Use multi-factor authentication (MFA) to mitigate token theft, though note that OAuth tokens can bypass MFA if stolen after login.
- Deploy DNS Security Extensions (DNSSEC): While not a complete solution, DNSSEC helps ensure that DNS responses come from authoritative sources, making it harder to spoof DNS responses at the network level.
Understanding the mechanics behind the Forest Blizzard campaign shows how low-tech router attacks can lead to high-value credential theft. By applying these defensive tips, organizations can close the door on DNS hijacking.