What happens when the plumbing of the internet—older, widely deployed routers—becomes a faucet for secrets? Security experts warned today that hackers linked to Russia's military intelligence units have been quietly siphoning authentication tokens from Microsoft Office users by exploiting known flaws in those legacy devices. The campaign harvested tokens from users on more than 18,000 networks, and did so without deploying any malicious software or code.
How the campaign operated, in plain terms
According to security researchers, the attackers took advantage of preexisting weaknesses in older Internet routers. By exploiting those known flaws, the operators were able to collect authentication tokens used by Microsoft Office users. The activity required no installation of traditional malware or insertion of code on the targeted systems; instead, the campaign leveraged the routers themselves as the vector for mass collection.
The scale and character of the intrusion
Security experts say the operation reached more than 18,000 networks. The actors behind the scheme are described in the reporting as state-backed Russian hackers linked to Russia's military intelligence units. The combination of a large number of affected networks and the absence of payloads or software installations makes the campaign notable for both reach and stealth.
Why this matters: technical and policy perspectives
- Technologists: The incident highlights the risk posed by known vulnerabilities in network infrastructure components. When flaws in widely deployed routers remain unaddressed, those devices can be turned into conduits for harvesting credentials without traditional malware fingerprints.
- Policymakers: The attribution in the reporting to actors linked with a military intelligence apparatus underscores the potential national-security implications when basic network weaknesses are exploited at scale.
- Users and organizations: Authentication tokens for productivity services were the targeted data type. The mass collection of such tokens carries implications for account access and trust in session-based authentication, especially when the collection can occur outside endpoints and without visible compromises.
- Adversaries: The campaign demonstrates an operational choice: exploit infrastructure weaknesses to avoid software-based detection, enabling broad harvesting across many networks.
Questions left standing
The reporting provides a concise description of the method, scope and attribution, but it also poses a broader question: if actors can harvest session credentials from tens of thousands of networks by exploiting known router flaws and without leaving typical malware traces, what changes are necessary to reduce such systemic exposure? Patching, device replacement, and closer attention to the security of network infrastructure are all implied paths, but the core risk remains simple and stark—the infrastructure we rely on can be turned into a window into our accounts.
https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/




