Russia Hacked Routers to Steal Microsoft Office Tokens

Russia's military intelligence hackers exploited unpatched router vulnerabilities to harvest Microsoft Office authentication tokens from over 18,000 networks in a large-scale espionage operation. The campaign required no malware deployment, making detection difficult for organisations relying on traditional endpoint security tools.

The attack leverages known flaws in older router models that organisations have failed to patch. By positioning themselves between users and authentication servers, attackers intercepted tokens that grant access to Microsoft Office 365 and related cloud services. Once obtained, these tokens enable attackers to impersonate legitimate users and access email, documents, and other sensitive data without triggering password-based security alerts.

The scope reveals a fundamental infrastructure problem. Many organisations operate routers years past their end-of-life dates, missing critical security updates. The 18,000 affected networks span multiple sectors, though specific verticals remain undisclosed. Russian military intelligence, assessed as GRU by Western intelligence agencies, conducted this operation with the operational discipline expected of state-sponsored actors. The campaign's stealth and scale indicate sophisticated network reconnaissance and token harvesting infrastructure.

The risk to organisations extends beyond immediate data theft. Compromised tokens provide persistent access to cloud environments, enabling lateral movement, privilege escalation, and long-term persistence. Attackers can exfiltrate years of communications and files while remaining undetected. Individuals working for affected organisations face credential compromise without realising their authentication has been intercepted at the network perimeter.

Detection challenges compound the threat. Token theft leaves minimal forensic evidence compared to password reuse or brute force attacks. Organisations cannot identify compromised tokens through standard logs unless they monitor for impossible travel or anomalous access patterns. Many enterprises lack visibility into token issuance and validation at the router level.

Organisations should immediately inventory routers currently in use and prioritise patches for known vulnerabilities. Token rotation,