Russian GRU Hijacks 18,000 Routers to Steal Microsoft Office OAuth Tokens
What Happened — State‑backed Russian GRU actors (APT28/Forest Blizzard) compromised more than 18,000 legacy routers, re‑routing DNS to attacker‑controlled servers and silently harvesting Microsoft Office OAuth tokens. No malware was installed; the attack relied on known router vulnerabilities and DNS hijacking.
Why It Matters for TPRM —
- Token theft bypasses multi‑factor authentication, exposing confidential corporate data.
- The campaign targets government and SOHO networks, highlighting supply‑chain risk from outdated hardware.
- Third‑party vendors that provide or manage network infrastructure may inadvertently expose clients.
Who Is Affected — Government ministries, law‑enforcement agencies, third‑party email providers, and any organization using unsupported Mikrotik or TP‑Link routers.
Recommended Actions —
- Inventory all routers, prioritize replacement of end‑of‑life devices.
- Verify DNS settings on network equipment; revert any unauthorized changes.
- Enforce token‑level security controls (e.g., conditional access, token revocation) for Office 365 users.
Technical Notes — Attack vector: exploitation of known router firmware flaws → DNS hijacking → interception of OAuth tokens transmitted after MFA. No CVE numbers were disclosed in the source article. Data types stolen: Microsoft Office OAuth access tokens, potentially granting read/write access to email, documents, and Teams. Source: Krebs on Security