Authorities Disrupt APT28 Router DNS Hijacks Targeting Microsoft 365

An international law enforcement operation has disrupted FrostArmada, a campaign linked to the Russian state-sponsored threat actor APT28 (also known as Fancy Bear / Forest Blizzard) that weaponized compromised consumer and small-office routers to redirect Microsoft 365 authentication traffic and harvest credentials at scale.

What Is FrostArmada?

FrostArmada is a DNS hijacking campaign attributed to APT28, the Russian military intelligence (GRU) unit responsible for some of the most consequential cyber operations of the past decade. The campaign's core technique is deceptively simple but highly effective: compromise MikroTik and TP-Link routers in targeted networks, then modify the router's DNS configuration to redirect authentication-related domains to attacker-controlled servers.

When users attempt to log in to Microsoft 365, their credentials — usernames, passwords, and in some configurations multi-factor authentication tokens — are intercepted by the rogue DNS resolution before the connection ever reaches Microsoft's legitimate infrastructure.

How the Attack Worked

Step 1: Router Compromise

APT28 gained access to target routers through a combination of:

• Default or weak credentials never changed from factory settings
• Known vulnerabilities in router firmware that remained unpatched
• Credential stuffing using previously stolen router management passwords

MikroTik and TP-Link devices were specifically targeted due to their widespread deployment in home offices, small businesses, and remote work environments — a direct consequence of the post-pandemic shift to distributed workforces.

Step 2: DNS Configuration Manipulation

Once the router was compromised, attackers modified the device's DNS server settings to point to attacker-controlled resolvers. These resolvers selectively returned fraudulent IP addresses for Microsoft 365 authentication endpoints including:

• login.microsoftonline.com
• login.live.com
• Related authentication and token endpoints

Step 3: Credential Harvesting

Victims attempting to sign in to Microsoft 365 — Outlook, Teams, SharePoint, and other services — were silently redirected to convincing phishing pages hosted on APT28 infrastructure. The pages were designed to mirror Microsoft's login experience precisely, capturing:

• Primary credentials (username and password)
• Session tokens
• In targeted cases: MFA codes via real-time relay attacks

Step 4: Downstream Espionage

Harvested credentials gave APT28 operators persistent access to victims' Microsoft 365 tenants, enabling:

• Email surveillance of high-value government, defense, and political targets
• Document exfiltration from SharePoint and OneDrive
• Lateral movement using compromised accounts to pivot deeper into organizational networks

The International Takedown

The disruption operation was carried out by an international coalition of law enforcement agencies in partnership with private sector threat intelligence firms and Microsoft. Authorities executed a coordinated action that included:

• Sinkholing the malicious DNS infrastructure used by FrostArmada
• Seizure of command-and-control servers underpinning the DNS hijacking operation
• Notification to internet service providers and device manufacturers to assist affected customers in identifying and remediating compromised routers

Microsoft's Digital Crimes Unit (DCU) provided critical technical assistance, including intelligence on how FrostArmada's infrastructure mapped to APT28's broader operational architecture.

Scope of Impact

While precise victim counts have not been publicly disclosed, authorities indicated that FrostArmada affected networks across multiple NATO member states with a focus on:

• Government ministries and defense contractors
• Political organizations and campaign infrastructure
• Journalists and civil society groups — historically preferred APT28 targets

The use of compromised consumer-grade routers as the attack vector is particularly significant because it shifts the point of compromise to infrastructure that is almost never monitored by enterprise security teams, even when the victim organization's own network is thoroughly defended.

Securing Your Routers

The FrostArmada disruption is a reminder that routers are frequently the least-patched devices in any network. Recommended actions:

1. Change default router credentials immediately — admin/admin and similar defaults are trivially exploitable
2. Apply firmware updates — enable automatic updates if supported; check for updates manually if not
3. Disable remote management via WAN unless explicitly required
4. Verify DNS settings — confirm your router's DNS servers are the expected values (your ISP's or a trusted resolver like 1.1.1.1)
5. Use a monitored DNS resolver — services like Cloudflare Gateway or Cisco Umbrella can detect and block DNS hijacking attempts
6. Enable DNSSEC validation where supported to resist DNS spoofing
7. Segment guest and IoT networks — keep managed work devices on a separate VLAN from unmanaged consumer gear

APT28 Context

APT28 (Forest Blizzard / Fancy Bear) is one of the most active and capable nation-state threat actors operating today. The group is responsible for high-profile intrusions including the 2016 Democratic National Committee breach, various European parliament and government hacks, and ongoing campaigns against NATO-aligned targets. FrostArmada represents a continued evolution in APT28's tactics toward living-off-the-land approaches that abuse legitimate infrastructure rather than deploying obvious custom malware.

Source: BleepingComputer — Authorities Disrupt DNS Hijacks Used to Steal Microsoft 365 Logins