An international law enforcement operation, in collaboration with private sector partners, has successfully disrupted a sophisticated cyber-espionage campaign dubbed "FrostArmada." The campaign, attributed to the Russian state-sponsored threat actor APT28, involved the widespread hijacking of small office/home office (SOHO) routers to steal Microsoft 365 account credentials. By compromising routers from vendors like MikroTik and TP-Link, the hackers altered the devices' Domain Name System (DNS) settings. This manipulation redirected user traffic to malicious virtual private servers (VPS) controlled by the attackers, which acted as rogue DNS resolvers. This technique, known as DNS hijacking, allowed APT28 to intercept authentication traffic destined for legitimate Microsoft services, enabling the theft of login credentials and OAuth tokens.
The FrostArmada campaign demonstrated significant scale and reach. At its peak in December 2025, the operation had infected approximately 18,000 devices across 120 countries. The primary targets included government agencies, law enforcement bodies, IT and hosting providers, and organizations managing their own server infrastructure. The campaign's goal was credential theft, providing APT28—a group linked to Russia's GRU military intelligence agency—with initial access to sensitive networks for further espionage activities. Microsoft, whose services were directly targeted, partnered with Lumen's threat research arm, Black Lotus Labs, to map the malicious infrastructure and identify victim organizations.
The takedown of the FrostArmada infrastructure was a coordinated effort involving multiple entities. Following the investigation by Microsoft and Black Lotus Labs, actions were taken with support from the U.S. Federal Bureau of Investigation (FBI), the U.S. Department of Justice, and the Polish government. This collaboration led to the seizure and takedown of the malicious command-and-control servers and rogue DNS resolvers, effectively neutralizing the immediate threat. The operation highlights the growing trend of attackers targeting network edge devices, like routers, which are often overlooked in security postures but provide a powerful vantage point for intercepting traffic.
This incident underscores critical lessons for organizational and individual cybersecurity. The compromise of SOHO routers points to the necessity of securing all network devices, not just traditional endpoints like computers and servers. Best practices include changing default administrative credentials, regularly updating router firmware, disabling remote management features when not needed, and monitoring DNS settings for unauthorized changes. For enterprises, implementing DNS security measures such as DNS-over-HTTPS (DoH) or using trusted, hard-coded DNS resolvers can help mitigate such hijacking attacks. The successful disruption of FrostArmada serves as a reminder of the importance of public-private partnerships in combating sophisticated, globally-scoped cyber threats.
