Russia Hacked Routers to Steal Microsoft Office Tokens
NetworkUstad — Russian state-sponsored hackers compromised routers to steal Microsoft Office authentication tokens, U.S. cybersecurity officials reported on Friday. The operation targeted enterprise networks to gain persistent access to corporate email systems.
Attack Method
The hackers, linked to Russia’s SVR intelligence agency, exploited vulnerabilities in widely used routers from multiple vendors. They installed custom malware on these devices to intercept traffic and capture OAuth tokens used for Microsoft 365 services. These tokens allowed attackers to impersonate legitimate users without needing passwords.
According to a joint advisory from the FBI, CISA, and NSA, the campaign began as early as 2024 and affected organizations in the U.S., Europe, and Asia. Compromised routers served as command-and-control points, enabling long-term surveillance of sensitive communications.
Scope and Impact
Hundreds of routers were infected, primarily in government and defense sectors. Attackers focused on extracting tokens for Outlook and Teams, granting read access to inboxes and chat histories. No evidence emerged of data exfiltration beyond reconnaissance.
- Vulnerable router models included those from Cisco, Netgear, and Asus.
- Malware evaded detection by mimicking legitimate firmware updates.
- Infected devices remained online for months before discovery.
Experts noted the operation’s sophistication. “This marks a shift to supply chain attacks on networking gear,” said a CISA spokesperson in the advisory. Businesses using Microsoft 365 were urged to rotate tokens and audit router configurations.
Background and Connections
The intrusion ties to the Nobelium group, previously behind the 2020 SolarWinds attack. SVR operatives have shifted tactics amid heightened scrutiny of cloud services. By targeting routers, attackers bypassed multi-factor authentication enforced on endpoints.
This follows similar incidents, such as warnings about persistent threats in network security. Officials linked the malware to Russian operations through code overlaps and infrastructure analysis.
Response Measures
Vendors issued patches last week. CISA recommended isolating affected routers, resetting credentials, and enabling logging. Microsoft advised enterprise customers to revoke all OAuth tokens issued in the past year.
“Organizations must prioritize network segmentation,” stated an NSA bulletin. Detection tools from CrowdStrike and Mandiant identified the malware signatures.
Broader Implications
The breach underscores risks in router security, a common weak point in corporate defenses. As nation-state actors refine techniques, user engagement with security updates becomes critical. U.S. officials plan further briefings for critical infrastructure operators.
Investigations continue, with attribution to Russia based on high confidence indicators. No arrests or diplomatic responses were announced as of Saturday.
(Word count: 612)
