APT28 Hijacked 18,000 Routers to Steal Microsoft OAuth Tokens

Russian military intelligence unit APT28 compromised more than 18,000 home and small-office routers to steal Microsoft Office 365 OAuth authentication tokens across as many networks. The FBI launched court-authorized Operation Masquerade on April 7, 2026, to seize and reset the botnet infrastructure. The attack required zero malware on any compromised device: APT28 used SNMP access to rewrite router DNS configurations and silently redirect OAuth authentication flows to spoofed Microsoft login pages.

The technique is significant because it bypasses multi-factor authentication entirely. By the time an OAuth token is captured, the victim has already completed MFA — the token is what gets used for continued access, and it is valid regardless of whether MFA was used to obtain it.

How Operation Masquerade Worked

The attack chain has five steps, each requiring only widely available tools and default router credentials:

Step 1 — Enumeration. APT28 scanned public IP ranges for routers running SNMP v2 with default or weak credentials. The target models — TP-Link WR841N, Archer C5/C7, and MikroTik RouterOS devices — all ship with SNMP v2 enabled by default and are often deployed in small offices and developer home labs without any credential hardening.

Step 2 — SNMP rewrite. Using SNMP v2 write access, APT28 modified each router's DHCP configuration to push a malicious DNS server address to clients on the network. The router itself was not infected with persistent malware — the only change was the DHCP DNS entry.

Step 3 — DNS redirect. Clients on the compromised network resolved Microsoft OAuth endpoints (login.microsoftonline.com, login.live.com) to APT28-controlled servers instead of Microsoft's legitimate infrastructure.

Step 4 — Transparent proxy. The APT28 server acted as a transparent reverse proxy for the real Microsoft login. Victims completed the login process normally — including MFA prompts, which were proxied to the real Microsoft endpoint. The victim's browser showed Microsoft's real pages because the content was live-proxied.

Step 5 — Token capture. When Microsoft issued the OAuth access token and refresh token after successful authentication (including MFA), the transparent proxy intercepted and logged both tokens before forwarding them to the victim's browser. The victim's login completed successfully. They saw no error. The tokens were now in APT28's possession.

The stolen OAuth tokens gave APT28 persistent access to the victim's Microsoft 365 account — email, SharePoint, Teams — for the lifetime of the refresh token (typically 90 days before rotation is required).

Which Routers Were Targeted

The two device families in scope:

TP-Link WR841N and Archer C5/C7: Consumer and small-office routers widely deployed in home developer setups, coworking spaces, and small-team offices. Both models run SNMP v2 with default credentials (the "public" community string) unless explicitly disabled. TP-Link has shipped more than 50 million units in the WR841N family globally. The Archer C5 and C7 are premium consumer models common in developer home labs.

MikroTik RouterOS: Enterprise-grade routing platform extremely common in developer infrastructure, VPS hosting environments, and startup network setups. MikroTik's Winbox and WebFig management interfaces are well-known targets, but the SNMP v2 default community string is less commonly hardened. MikroTik devices are disproportionately represented in small and medium business networks globally.

The selection is not random. These are devices that technically sophisticated people deploy precisely because they offer more control than consumer-grade hardware — but the SNMP v2 default credential problem is endemic to their deployment base.

Why This Bypasses MFA

This is the question most incident responders ask first, and the answer is architecturally important.

MFA protects the authentication step. Once authentication is complete and an OAuth token is issued, the token itself is the credential for API access — and that token does not carry MFA requirements. The OAuth standard does not mandate re-authentication with MFA for each API call.

APT28's proxy did not intercept the authentication step (the part with MFA). It intercepted the output of that step: the OAuth tokens issued after MFA was satisfied. From Microsoft's perspective, the authentication was legitimate — the user completed MFA, entered correct credentials, and received tokens. APT28 simply collected copies of those tokens in transit.

The Microsoft 365 Conditional Access feature "Sign-in frequency" can reduce the exposure window by forcing token re-authentication at shorter intervals. But most organizations run with default token lifetimes of 60–90 days for refresh tokens, meaning a captured token could be valid for months.

What the FBI Did in Operation Masquerade

The FBI obtained court authorization to access and reset the compromised routers remotely — the same legal mechanism used in previous GRU infrastructure takedowns (Cyclops Blink in 2022, VPNFilter in 2018).

The operation involved:

• Remotely resetting SNMP credentials on compromised routers to cut off APT28's access channel
• Issuing corrected DNS configurations to affected devices via the same SNMP channel APT28 had used
• Notifying 18,000+ network owners through ISPs about the compromise and recommended remediation steps
• Coordinating with Microsoft to identify which Office 365 tenants had tokens compromised and notify their administrators

The court authorization is important because it allowed the FBI to modify private router configurations without owner consent — the same legal theory used in previous botnet dismantlement operations. The legal authority is 18 U.S.C. 1030 (Computer Fraud and Abuse Act) with a Rule 41 search and seizure warrant covering the foreign-origin malicious infrastructure.

Developer Action: What to Check Now

If you run a TP-Link or MikroTik router, or manage infrastructure for a small team, the priority actions are:

1. Disable SNMP v2 immediately. SNMP v2 with default community strings is the attack entry point. On MikroTik: /snmp set enabled=no. On TP-Link: Advanced Settings > System Tools > SNMP > disable. If you need SNMP for monitoring, upgrade to SNMP v3 with authentication and encryption.

2. Change your DNS server. Check your router's DHCP DNS settings. If they point to any IP outside your ISP's DNS or a known public resolver (8.8.8.8, 1.1.1.1, or your own), your router may have been modified. Reset to a known-good DNS configuration.

3. Rotate Microsoft 365 OAuth tokens for your tenant. If your network may have been affected between January and April 2026, revoke all refresh tokens in your Microsoft Entra ID (Azure AD) tenant. Entra admin: Users > select all users > Revoke sessions. This forces re-authentication for all users and invalidates any captured tokens.

4. Enable Conditional Access sign-in frequency. Set Entra Conditional Access policy to require re-authentication every 24 hours for sensitive access. This limits the validity window of any future captured token.

5. Audit SNMP exposure. Run nmap with --script=snmp-brute against your own router's external IP to verify SNMP is not exposed. If it is, close it immediately.

6. Review token issuance logs. In Entra audit logs, look for OAuth token issuances from unusual IP addresses or geographic locations during January–April 2026. Anomalous token grants from Eastern European or Russian IP ranges during this period are an indicator of compromise.

The Broader Pattern: No-Malware Attacks Are Harder to Detect

Operation Masquerade is part of a documented shift in GRU and FSB tradecraft: avoiding malware deployment on target endpoints because endpoint detection (EDR) has become too effective. Instead, the attack moves to network infrastructure where enterprise EDR has no visibility.

The same pattern appeared in Volt Typhoon (China) living-off-the-land attacks on US critical infrastructure, and in the Solar Winds supply chain attack (also attributed to SVR, Russian foreign intelligence). The common thread: avoid touching the victim's devices. Attack the infrastructure around them.

For defenders, this means that endpoint-only security postures are insufficient. Network-layer monitoring — DNS query logging, SNMP access logging, anomalous OAuth token issuance alerting — is now required to detect this class of attack.

Key Takeaways

• APT28 compromised 18,000+ TP-Link and MikroTik routers via SNMP v2 default credentials; no malware deployed on any device — just DNS redirect config change
• OAuth token theft bypasses MFA: tokens are captured after MFA completes, during the token issuance step; valid for 60–90 days on default Microsoft 365 settings
• FBI Operation Masquerade: court-authorized remote reset and DNS correction of compromised routers; 18,000+ network owners notified via ISPs
• Developer action now: disable SNMP v2 on all TP-Link/MikroTik devices; verify DNS config; revoke all Microsoft 365 refresh tokens if your network was in scope; set Conditional Access sign-in frequency to 24h
• No-malware network attacks are the new normal: GRU and other nation-state actors are moving attacks to network infrastructure where EDR has no visibility
• SNMP v2 is a liability: any device running SNMP v2 with default community strings is an active attack surface — disable or upgrade to SNMP v3 with auth

For the broader IRGC cyber operations context, read Pro-Iran Hackers Ababil Hit LA Metro, PLCs. For the supply chain attack pattern, read Bitwarden CLI npm Supply Chain Attack. For the Chrome zero-day that requires patching alongside this, read Chrome Zero-Day CVE-2026-5281: Patch Now.