Russia Hacked Routers to Steal Microsoft Office Tokens
8 hours ago
- #DNS_hijacking
- #cybersecurity
- #Russia
- Russian military intelligence hackers (Forest Blizzard/APT28) used known vulnerabilities in older SOHO routers to mass-harvest OAuth authentication tokens from Microsoft Outlook users.
- The attack involved DNS hijacking of over 18,000 routers, mainly unsupported Mikrotik and TP-Link devices, to redirect users to malicious servers and intercept tokens without deploying malware.
- Victims included government agencies and over 200 organizations; attackers bypassed multi-factor authentication by exploiting weak TLS certificate warnings that users often ignore.
- The U.S. FCC responded by banning certification of foreign-made consumer routers due to national security risks, though experts warn this may limit router availability.
- Forest Blizzard adapts tactics quickly, as seen when they switched from malware to mass DNS hijacking after previous security reports.