{"id":13600,"date":"2026-04-09T21:10:39","date_gmt":"2026-04-09T21:10:39","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=13600"},"modified":"2026-04-09T21:10:39","modified_gmt":"2026-04-09T21:10:39","slug":"russia-hacked-routers-to-steal-microsoft-workplace-tokens-krebs-on-safety","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=13600","title":{"rendered":"Russia Hacked Routers to Steal Microsoft Workplace Tokens \u2013 Krebs on Safety"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>Hackers linked to Russia\u2019s army intelligence models are utilizing recognized flaws in older Web routers to mass harvest authentication tokens from <strong>Microsoft Workplace<\/strong> customers, safety specialists warned at the moment. The spying marketing campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from customers on greater than 18,000 networks with out deploying any malicious software program or code.<\/p>\n<p>Microsoft stated in <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/07\/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks\/\" target=\"_blank\" rel=\"noopener\">a weblog publish<\/a> at the moment it recognized greater than 200 organizations and 5,000 shopper gadgets that have been caught up in a stealthy however remarkably easy spying community constructed by a Russia-backed risk actor often known as \u201c<strong>Forest Blizzard<\/strong>.\u201d<\/p>\n<div id=\"attachment_73429\" style=\"width: 774px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-73429\" decoding=\"async\" class=\"size-full wp-image-73429\" src=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/lumen-forestblizzard.png\" alt=\"\" width=\"764\" height=\"353\"\/><\/p>\n<p id=\"caption-attachment-73429\" class=\"wp-caption-text\">How focused DNS requests have been redirected on the router. Picture: Black Lotus Labs.<\/p>\n<\/div>\n<p>Also referred to as <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/groups\/G0007\/\" target=\"_blank\" rel=\"noopener\">APT28<\/a> and Fancy Bear, Forest Blizzard is attributed to the army intelligence models inside Russia\u2019s Common Employees Important Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton marketing campaign, the Democratic Nationwide Committee, and the Democratic Congressional Marketing campaign Committee in 2016 in an try to intrude with the U.S. presidential election.<\/p>\n<p>Researchers at <strong>Black Lotus Labs<\/strong>, a safety division of the Web spine supplier <strong>Lumen<\/strong>, discovered that on the peak of its exercise in December 2025, Forest Blizzard\u2019s surveillance dragnet ensnared greater than 18,000 Web routers that have been largely unsupported, end-of-life routers, or else far behind on safety updates. A <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.lumen.com\/blog-and-news\/en-us\/frostarmada-forest-blizzard-dns-hijacking\" target=\"_blank\" rel=\"noopener\">new report<\/a> from Lumen says the hackers primarily focused authorities businesses\u2014together with ministries of overseas affairs, legislation enforcement, and third-party electronic mail suppliers.<\/p>\n<p>Black Lotus Safety Engineer <strong>Ryan English<\/strong> stated the GRU hackers didn&#8217;t want to put in malware on the focused routers, which have been primarily older <strong>Mikrotik<\/strong> and <strong>TP-Hyperlink <\/strong>gadgets marketed to the Small Workplace\/House Workplace (SOHO) market.\u00a0As an alternative, they used recognized vulnerabilities to switch the Area Identify System (DNS) settings of the routers to incorporate DNS servers managed by the hackers.<\/p>\n<p>Because the U.Okay.\u2019s <strong>Nationwide Cyber Safety Centre<\/strong> (NCSC) notes in <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/news\/apt28-exploit-routers-to-enable-dns-hijacking-operations\" target=\"_blank\" rel=\"noopener\">a brand new advisory<\/a> detailing how Russian cyber actors have been compromising routers, DNS is what permits people to achieve web sites by typing acquainted addresses, as a substitute of related IP addresses. In a DNS hijacking assault, dangerous actors intrude with this course of to covertly ship customers to malicious web sites designed to steal login particulars or different delicate data.<\/p>\n<p>English stated the routers attacked by Forest Blizzard have been reconfigured to make use of DNS servers that pointed to a handful of digital personal servers managed by the attackers. Importantly, the attackers may then propagate their malicious DNS settings to all customers on the native community, and from that time ahead intercept any <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/v2-oauth2-auth-code-flow\" target=\"_blank\" rel=\"noopener\">OAuth authentication tokens<\/a> transmitted by these customers.<span id=\"more-73422\"\/><\/p>\n<div id=\"attachment_73428\" style=\"width: 757px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-73428\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-73428\" src=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/ms-dns-forestblizard.png\" alt=\"\" width=\"747\" height=\"544\"\/><\/p>\n<p id=\"caption-attachment-73428\" class=\"wp-caption-text\">DNS hijacking by means of router compromise. Picture: Microsoft.<\/p>\n<\/div>\n<p>As a result of these tokens are sometimes transmitted solely <em>after<\/em> the consumer has efficiently logged in and gone by means of multi-factor authentication, the attackers may achieve direct entry to sufferer accounts with out ever having to phish every consumer\u2019s credentials and\/or one-time codes.<\/p>\n<p>\u201cEveryone seems to be on the lookout for some subtle malware to drop one thing in your cell gadgets or one thing,\u201d English stated. \u201cThese guys didn\u2019t use malware. They did this in an old-school, graybeard approach that isn\u2019t actually horny nevertheless it will get the job accomplished.\u201d<\/p>\n<p>Microsoft refers back to the Forest Blizzard exercise as utilizing DNS hijacking \u201cto help post-compromise adversary-in-the-middle (AiTM) assaults on Transport Layer Safety (TLS) connections towards Microsoft Outlook on the net domains.\u201d The software program large stated whereas concentrating on SOHO gadgets isn\u2019t a brand new tactic, that is the primary time Microsoft has seen Forest Blizzard utilizing \u201cDNS hijacking at scale to help AiTM of TLS connections after exploiting edge gadgets.\u201d<\/p>\n<p>Black Lotus Labs engineer <strong>Danny Adamitis<\/strong> stated it is going to be fascinating to see how Forest Blizzard reacts to at the moment\u2019s flurry of consideration to their espionage operation, noting that the group instantly switched up its ways in response to <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/sites\/default\/files\/documents\/ncsc-mar-authentic_antics.pdf\" target=\"_blank\" rel=\"noopener\">an analogous NCSC report<\/a> (PDF) in August 2025. On the time, Forest Blizzard was utilizing malware to regulate a much more focused and smaller group of compromised routers. However Adamitis stated the day after the NCSC report, the group shortly ditched the malware strategy in favor of mass-altering the DNS settings on hundreds of susceptible routers.<\/p>\n<p>\u201cEarlier than the final NCSC report got here out they used this functionality in very restricted cases,\u201d Adamitis informed KrebsOnSecurity. \u201cAfter the report was launched they carried out the aptitude in a extra systemic vogue and used it to focus on every part that was susceptible.\u201d<\/p>\n<p>TP-Hyperlink was among the many router makers <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2025\/11\/drilling-down-on-uncle-sams-proposed-tp-link-ban\/\" target=\"_blank\" rel=\"noopener\">going through an entire ban<\/a> in the USA. However on March 23, the <strong>U.S. Federal Communications Commissio<\/strong>n (FCC) took a wider strategy, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.fcc.gov\/document\/fcc-updates-covered-list-include-foreign-made-consumer-routers\" target=\"_blank\" rel=\"noopener\">asserting<\/a> it will now not certify consumer-grade Web routers which can be produced outdoors of the USA.<\/p>\n<p>The FCC warned that foreign-made routers had grow to be an untenable nationwide safety risk, and that poorly-secured routers current \u201ca extreme cybersecurity threat that may very well be leveraged to instantly and severely disrupt U.S. crucial infrastructure and immediately hurt U.S. individuals.\u201d<\/p>\n<p>Consultants have countered that few new consumer-grade routers can be out there for buy below this new FCC coverage (apart from possibly Musk\u2019s Starlink satellite tv for pc Web routers, that are produced in Texas). The FCC says router makers can apply for a particular \u201cconditional approval\u201d from the Division of Warfare or Division of Homeland Safety, and that the brand new coverage doesn&#8217;t have an effect on any previously-purchased consumer-grade routers.<\/p>\n<\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Hackers linked to Russia\u2019s army intelligence models are utilizing recognized flaws in older Web routers to mass harvest authentication tokens from Microsoft Workplace customers, safety specialists warned at the moment. The spying marketing campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from customers on greater than 18,000 networks with out deploying any malicious [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13602,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[173,262,618,6587,7734,1539,211,1443,6356],"class_list":["post-13600","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-hacked","tag-krebs","tag-microsoft","tag-office","tag-routers","tag-russia","tag-security","tag-steal","tag-tokens"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13600"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13600\/revisions"}],"predecessor-version":[{"id":13601,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13600\/revisions\/13601"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/13602"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69c6f7b5190636d50e9f6768. Config Timestamp: 2026-03-27 21:33:41 UTC, Cached Timestamp: 2026-04-10 00:46:01 UTC -->