A sophisticated cyber espionage campaign orchestrated by APT28 — the threat actor linked to Russia’s military intelligence service (GRU) — has been disrupted by an international law enforcement operation. Codenamed FrostArmada by Lumen’s Black Lotus Labs, the campaign compromised tens of thousands of small office/home office (SOHO) routers to silently steal Microsoft 365 credentials from government agencies, law enforcement bodies, and cloud service providers worldwide.
How FrostArmada Worked
Rather than deploying traditional malware, APT28 exploited insecure TP-Link and MikroTik routers by modifying their DHCP and DNS settings. Once a router was compromised, any device connected to it would have its traffic silently redirected through attacker-controlled infrastructure. This allowed the group to intercept authentication flows and harvest Microsoft 365 login credentials at scale — without ever touching the end user’s device.
The technique, known as DNS hijacking, is particularly insidious because victims typically see no signs of compromise on their own machines. The attack operates entirely at the network layer, making it extremely difficult to detect with traditional endpoint security tools.
Scale and Targets
At its peak in December 2025, the FrostArmada infrastructure was communicating with more than 18,000 unique IP addresses from 120+ countries. Microsoft Threat Intelligence identified over 200 organizations and 5,000 consumer devices impacted by the group’s malicious DNS infrastructure. Primary targets included ministries of foreign affairs, law enforcement agencies, and cloud service providers in North Africa, Central America, Southeast Asia, and Europe.
International Disruption Operation
In a coordinated effort involving law enforcement authorities and private sector partners — including Microsoft and Lumen Technologies — the FrostArmada infrastructure has now been disrupted. Authorities seized or sinkholed key components of APT28’s malicious DNS network, effectively cutting off the group’s credential-harvesting capability. The U.S. Department of Justice confirmed involvement in the takedown operation.
What You Should Do
Users and network administrators with TP-Link or MikroTik routers should act immediately:
- Check DNS settings on your router — ensure they point to your ISP’s servers or a trusted provider (1.1.1.1 or 8.8.8.8)
- Update firmware to the latest available version
- Change default credentials and disable remote management
- Enable MFA on all Microsoft 365 accounts to limit damage from any already-stolen passwords
APT28 remains one of the most active state-sponsored threat actors in the world. While FrostArmada has been disrupted, security researchers warn the group will rebuild its infrastructure and return with new techniques.