Home » IT Security & Technology Blog » Russian Hackers Hijacked 18,000 Routers to Steal Microsoft 365 Tokens — Check Yours
By — IT Engineer |

Russian Hackers Hijacked 18,000 Routers to Steal Microsoft 365 Tokens — Check Yours

Hackers linked to Russia’s military intelligence (GRU) quietly compromised more than 18,000 internet routers to intercept Microsoft Office authentication tokens, as reported by Krebs on Security this week. The campaign, attributed to the group known as APT28 (Fancy Bear), didn’t require any malware — just old, unpatched routers.

The targets were mostly MikroTik and TP-Link devices common in small and home office setups. The attackers exploited known vulnerabilities to silently modify DNS settings, redirecting traffic through servers they controlled. This let them intercept OAuth authentication tokens issued after users completed legitimate Microsoft 365 sign-ins — including MFA — without the user noticing anything unusual.

At its peak in late 2025, the campaign had ensnared routers across more than 200 organisations and 5,000 consumer devices. While the primary targets were government agencies and foreign affairs ministries, the infrastructure included thousands of small business routers that were simply collateral — old, unsupported, and quietly compromised. The FBI has since launched Operation Masquerade to neutralise affected devices on US soil.

Why this matters for Australian SMBs

If your office is still running a router you bought five or more years ago, or one that hasn’t received a firmware update in years, you’re in the risk category. These aren’t sophisticated zero-day attacks — they exploit known, patched vulnerabilities in devices that never got the update. MikroTik and TP-Link gear is widely deployed across Australian small businesses, particularly in regional areas.

What to do

Check your router’s model and firmware version. If it’s end-of-life or no longer receiving updates from the manufacturer, replace it. Make sure DNS settings haven’t been tampered with — your DNS should point to your ISP or a trusted resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8), not an unfamiliar address. If you’re not sure what’s sitting in your comms rack, talk to your IT provider — or reach out to us.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →

    Posted in Security

    About All IT Services

    We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

    CONTACT US