Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
APT28 اللي تابعة للدولة الروسية كتستغل روترات SOHO فـ حملة عالمية لخطف الـ DNS
Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
TL;DR
The Russian state-sponsored actor APT28 (Forest Blizzard) has compromised over 18,000 MikroTik and TP-Link routers across 120 countries since May 2025. Codenamed FrostArmada, the campaign uses DNS hijacking to redirect traffic to malicious servers, enabling Attacker-in-the-Middle (AitM) attacks to steal credentials and OAuth tokens from government and military targets.
Overview of FrostArmada
A sophisticated cyber espionage campaign, orchestrated by the Russia-linked threat actor APT28 (also known as Forest Blizzard or Storm-2754), has been identified targeting Small Office/Home Office (SOHO) routers globally.
According to reports from Lumen’s Black Lotus Labs and Microsoft, the campaign—codenamed FrostArmada—repurposes insecure routers into malicious infrastructure. By altering DNS settings on these devices, the actors can passively collect network data and intercept sensitive traffic.
The campaign has been active since at least May 2025, reaching its peak in December 2025 with communications linked to over 18,000 unique IP addresses spanning more than 120 countries.
Technical Mechanics: DNS Hijacking and AitM
The attack chain begins with APT28 gaining remote administrative access to edge devices, specifically targeting MikroTik and TP-Link models.
- Exploitation: The actors likely exploit vulnerabilities such as CVE-2023-50224, an authentication bypass flaw in TP-Link WR841N routers, to extract credentials.
- Configuration Change: Once inside, the attackers modify the router's settings to use actor-controlled DNS resolvers.
- Redirection: When a user on the compromised network attempts to visit a legitimate site (such as Microsoft Outlook on the web), the malicious DNS server provides fraudulent records.
- Credential harvesting: Traffic is redirected to an Attacker-in-the-Middle (AitM) node. This allows the threat actor to steal authentication credentials, passwords, and OAuth tokens without any required interaction from the end user.
This marks the first time APT28 has been observed using DNS hijacking at this scale to support AitM attacks on Transport Layer Security (TLS) connections.
High-Value Targets
While the initial exploitation of routers is opportunistic, the U.K. National Cyber Security Centre (NCSC) indicates that the group uses an automated filtering process to triage victims of high intelligence value.
Primary targets include:
- Government Agencies: Ministries of Foreign Affairs and law enforcement.
- Critical Infrastructure: Military and energy sectors.
- Service Providers: Third-party email and cloud service providers.
Impacted organizations have been identified across North Africa, Central America, Southeast Asia, and Europe. Microsoft specifically noted AitM activity targeting non-Microsoft hosted servers in at least three African government organizations.
Law Enforcement Response: Operation Masquerade
In response to the threat, a joint international operation involving the U.S. Department of Justice (DoJ), the FBI, and other global partners successfully disrupted the malicious infrastructure.
Codenamed Operation Masquerade, this court-authorized technical operation neutralized the U.S.-based portion of the network. The DoJ attributed the activity to Military Unit 26165 of the Russian General Staff of the Armed Forces (GRU).
Conclusion
The FrostArmada campaign highlights the growing risk posed by vulnerable edge devices. By leveraging SOHO routers as a pivot point, APT28 gained persistent, "nearly invisible" visibility into enterprise environments. While currently used for credential theft and espionage, security researchers warn that this AitM position could easily be used for more destructive outcomes, such as malware deployment or denial-of-service attacks.
Source: The Hacker News
