Russian Hackers Are Vacuuming Microsoft Office Tokens from 18,000+ Routers—No Malware Needed
Russian military intelligence hackers, tracked as Forest Blizzard, are exploiting ancient router flaws to silently steal Microsoft Office authentication tokens from users across thousands of networks.[1]
Black Lotus Labs at Lumen uncovered this espionage op peaking in December 2025, hitting over 18,000 mostly end-of-life routers without dropping a single piece of malware.[1]
The Dirty Tech Details
These spies leverage known vulnerabilities in unsupported or unpatched routers—think ancient Cisco or Netgear gear long past its prime. They intercept traffic to harvest tokens from Office 365 logins, targeting government ministries, law enforcement, and email providers. No CVEs named in the latest drop, but the routers are “far behind on security updates,” making them sitting ducks.[1]
Forest Blizzard (aka APT44 or Sandworm) has form here—state-backed pros who pivot from network access to deep credential theft. Peak activity snared 18k devices, proving scale without exploits or payloads.[1]
So What? Why Devs and Sec Teams Should Sweat This
If your org runs legacy routers or skimps on firmware updates, you’re gift-wrapping Office creds for Putin’s crew. Devs: Audit your supply chain and IoT endpoints now—unsupported hardware is a token piñata. Sec teams: Patch routers yesterday, segment Office traffic, and hunt for anomalous token use. This isn’t smash-and-grab; it’s quiet, persistent spying that bypasses EDR entirely.[1]
One unpatched edge device, and boom—your MFA, endpoints, everything’s compromised via stolen sessions.
My Take: Wake Up and Patch, or Get Played
This is peak lazy genius: Why code malware when old routers do the stealing? Russia’s proving nation-states don’t need zero-days anymore—neglected infra is enough. Ditch the EOL junk, enforce updates religiously, or watch your tokens march to Moscow. Sec pros, this is your 4AM fire drill.[1]
