The Russia-linked hacking group APT28 has been tied to a campaign that compromised insecure MikroTik and TP-Link routers and altered their DNS settings to support espionage and credential theft since at least May 2025. The operation, described in a technical analysis by Lumen’s Black Lotus Labs, affected more than 200 organizations and 5,000 consumer devices, according to Microsoft.
KEY FACTS
- Campaign name FrostArmada
- Targets Government agencies and third-party email and cloud providers across several regions
- Scale More than 18,000 unique IP addresses in 120 countries were seen at the peak
- Technique Routers were reconfigured to use attacker-controlled DNS resolvers
The report says the activity started in a limited way in May 2025 and expanded in early August, with peak activity recorded in December 2025. Microsoft said the campaign was linked to APT28 and its sub-group Storm-2754.
Researchers said the attackers gained remote administrative access to home and small office routers, then changed DNS settings so web traffic could be redirected through malicious infrastructure. That setup allowed attacker-in-the-middle attacks aimed at stealing passwords, OAuth tokens and other credentials from email and web services.
The U.K. National Cyber Security Centre said the DNS hijacking appeared opportunistic, with victims filtered at successive stages to find targets of likely intelligence value. Microsoft said some of the domains were associated with Outlook on the web, and it also found similar activity against non-Microsoft hosted servers at several government organizations in Africa.
The infrastructure used in the campaign was disrupted in a joint operation involving the U.S. Department of Justice, the FBI and international partners. The disclosure also said TP-Link WR841N routers were likely exploited using CVE-2023-50224, an authentication bypass flaw.
WHY IT MATTERS
The campaign shows how compromised edge devices can be used to quietly intercept traffic and collect credentials at scale. It also highlights the risk that weakly secured routers can become upstream access points for broader intrusions into organizations.