Key Takeaway
The Forest Blizzard APT group exploits vulnerabilities in outdated routers to intercept Microsoft Office user tokens. Over 18,000 networks are affected due to DNS hijacking without deploying traditional malware. Swift security updates and DNS configurations are necessary to mitigate risks.
What Happened
APT28, a Russian state-sponsored threat actor also known as Forest Blizzard and Fancy Bear, has been exploiting vulnerabilities in outdated Internet routers to silently collect authentication tokens from Microsoft Office users. The campaign bypassed traditional malware deployment, leveraging known flaws in these routers to alter DNS settings, thereby capturing tokens from users across more than 18,000 networks. This mass surveillance effort, primarily active until December 2025, went largely undetected due to its reliance on exploiting pre-existing vulnerabilities in SOHO routers.
Microsoft, in collaboration with Black Lotus Labs, identified more than 200 organizations and 5,000 consumer devices implicated in this stealthy operation. The attackers, linked to Russia's GRU military intelligence units, utilized these compromised devices to propagate DNS hijacking, redirecting network traffic through malicious servers under their control.
Technical Details
The attack exploited older, unsupported Mikrotik and TP-Link routers, widely used in small office/home office (SOHO) environments. By exploiting unpatched vulnerabilities in these devices, the attackers managed to alter the Domain Name System (DNS) settings to include DNS servers they controlled. This approach effectively diverted legitimate traffic, enabling adversary-in-the-middle (AiTM) attacks.
No new malware was installed; instead, attackers used DNS hijacking to intercept OAuth authentication tokens typically transmitted during secure sessions with Microsoft Outlook and other services. This method allowed the actors to bypass multi-factor authentication (MFA) and gain access to user accounts. The UK’s National Cyber Security Centre (NCSC) detailed how compromised routers facilitated this large-scale espionage operation.
The campaign highlights the attackers' shift from deploying malware on targeted networks to exploiting DNS settings, a tactic that enabled them to capture sensitive information without need for direct endpoint compromise.
Impact
The primary targets of this campaign were government agencies, including ministries of foreign affairs and law enforcement, along with third-party email service providers. The operation also affected a wide range of consumers reliant on legacy router technology, significantly expanding the potential impact.
The consequences included unauthorized access to sensitive data across a multitude of sectors, potentially compromising national security and exposing personal and corporate information. The scale of this operation, involving thousands of routers and networks, underscores the pressing need for up-to-date network infrastructure.
What To Do
- Patch and Update: Ensure all network devices, especially SOHO routers, are updated with the latest vendor patches. Transition away from unsupported models.
- DNS Monitoring: Establish robust monitoring for any unauthorized changes to DNS settings and implement alerts for suspicious activity.
- Network Segmentation: Implement proper network segmentation to limit the potential spread of malicious configurations.
- Threat Intelligence Integration: Utilize threat intelligence feeds to update lists of malicious DNS servers and potential IoCs.
Security teams must prioritize the remediation of outdated equipment while employing network monitoring solutions to detect alterations in DNS configurations. Implementing these protective measures will significantly reduce the risk of similar exploitation and safeguard against unauthorized data access.
Related:
Original Source
Krebs on Security →Related Articles
Iranian Threat Actor Targets Microsoft 365 in Middle East Campaign
An Iran-linked APT is executing a password-spraying campaign on Microsoft 365 environments in Israel and the U.A.E., targeting key sectors amid regional tensions with direct organizational impacts.
FrostArmada APT28 Campaign Disrupted: Details on Hijacked Network Traffic
An international operation has disrupted FrostArmada, an APT28 campaign hijacking traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. Key vulnerabilities were exploited, affecting networks globally. Organizations must update firmware, change default credentials, and enable MFA.
APT Campaign Exploits GitHub Misconfiguration with AI-Driven Attacks
North Korean threat actors have launched the PRT-scan APT campaign, exploiting GitHub misconfigurations through AI-driven attacks. Targeting tech and financial sectors, this campaign poses severe data breaches risks. The use of AI in attack vectors suggests escalating sophistication in cyber threats.
AI-Driven APT Targeting Widespread GitHub Misconfiguration
An AI-driven APT campaign, attributed to the group PRT-scan, exploits GitHub misconfigurations. The attack targets sensitive information in repositories, primarily affecting tech, finance, and healthcare sectors.