Fancy Bear hijacks 18,000 SOHO routers' DNS to steal Microsoft OAuth tokens

Russia’s GRU-linked APT28 (Forest Blizzard) compromised more than 18,000 unsupported or unpatched Mikrotik and TP-Link SOHO routers at the peak of a December 2025 campaign, according to Lumen’s Black Lotus Labs and Microsoft. Rather than deploying malware, the operators exploited known vulnerabilities to rewrite the routers’ DNS settings to point at attacker-controlled resolvers, then pushed those settings to every device on the local network.

With DNS under their control, the attackers ran adversary-in-the-middle attacks against TLS connections to Outlook on the web, intercepting OAuth tokens issued after users had already cleared password and MFA checks. That sidesteps phishing entirely and yields direct account access. Microsoft says it identified over 200 organizations and 5,000 consumer devices ensnared, with targeting concentrated on foreign ministries, law enforcement, and third-party email providers.

The shift to mass DNS hijacking came directly after an August 2025 NCSC report on Forest Blizzard’s prior, malware-based router operations — the group dropped the malware and scaled the simpler technique across every vulnerable device they could reach. The episode lands alongside an FCC move to stop certifying consumer routers manufactured abroad, citing the same class of edge-device risk, though the rule does not retroactively cover gear already in homes and offices.