# International Law Enforcement Disrupts FrostArmada: Mass Router DNS Hijacking Campaign Targeting Microsoft 365 Credentials


An international law enforcement operation has successfully disrupted FrostArmada, a sophisticated campaign linked to APT28 (also known as Fancy Bear) that has been weaponizing consumer and small-business routers to intercept and steal Microsoft 365 login credentials at scale. The coordinated effort, involving authorities across multiple countries and cooperation from private sector security firms, represents a significant blow against one of the most persistent state-sponsored threat actors targeting organizations worldwide.


## The Threat: How FrostArmada Operated


FrostArmada employed a deceptively simple yet highly effective attack strategy: compromising MikroTik and TP-Link routers—two of the world's most widely deployed networking devices—to perform DNS hijacking on local networks. Rather than directly attacking fortified corporate systems, the campaign leveraged the trusted position of routers within network architecture to redirect users to credential-harvesting pages mimicking legitimate Microsoft 365 login portals.


Key characteristics of the campaign:


  • Target scope: Thousands of organizations globally, with particular focus on government agencies, defense contractors, and critical infrastructure sectors
  • Attack vector: Compromised routers performing DNS spoofing to intercept authentication attempts
  • Primary objective: Harvesting Microsoft 365 credentials for lateral movement and persistent network access
  • Scale: The operation affected organizations across multiple countries and continents
  • Duration: The campaign operated for an extended period, allowing attackers to establish deep footholds within victim networks

    • Once attackers obtained valid Microsoft 365 credentials through the fake login pages, they gained access to email systems, cloud storage, and other integrated Microsoft services—creating opportunities for data exfiltration, espionage, and further network compromise.


    ## Background and Context: APT28's Long Game


    APT28, attributed to Russia's GRU (Main Intelligence Directorate), has maintained a reputation as one of the most capable and persistent state-sponsored threat actors since at least 2007. The group has targeted governments, military organizations, defense contractors, and critical infrastructure operators across the globe, conducting operations ranging from espionage to election interference.


    Why FrostArmada represents APT28's strategic approach:


  • Supply chain targeting: By compromising routers rather than directly breaching corporate networks, attackers leveraged a less-defended layer of infrastructure
  • Credential harvesting: Stolen Microsoft credentials provide persistent access and enable adversaries to blend in with legitimate user activity
  • Lower detection risk: Router-level attacks often evade traditional endpoint detection and response (EDR) solutions
  • Cost-effective: Consumer routers are deployed at massive scale with minimal security patching in many organizations

    • The campaign demonstrated sophisticated understanding of enterprise authentication flows and the trust relationships between users, routers, and cloud services.


    ## How the Attack Works: Technical Details


    The technical execution of FrostArmada reveals careful operational planning:


    Attack chain breakdown:


    1. Router compromise: Attackers exploited known vulnerabilities or default credentials in MikroTik RouterOS and TP-Link firmware to gain administrative access

    2. DNS poisoning configuration: Once in control, attackers modified DNS settings to redirect requests for login.microsoft.com and related authentication domains to attacker-controlled servers

    3. Credential capture: Victims attempting to log in to Microsoft 365 would be transparently redirected to convincing phishing pages

    4. Authentication token harvesting: The captured credentials and session tokens were logged and sent to command-and-control infrastructure

    5. Secondary access: Attackers used harvested credentials to establish persistent access through Microsoft 365, often enabling further lateral movement into corporate networks


    Why routers are effective attack platforms:


  • Positioned at network perimeter with full visibility of traffic
  • Run simplified operating systems with limited security monitoring
  • Often forgotten during patch cycles and security reviews
  • Trusted completely by end-user devices
  • Difficult to detect malicious DNS behavior when it originates from the gateway device

    • ## The International Disruption Operation


    Law enforcement agencies coordinated a multi-phase operation to dismantle FrostArmada infrastructure:


    Operation components included:


    | Action | Outcome |

    |--------|---------|

    | Infrastructure takedown | Seizure or shutdown of command-and-control servers |

    | ISP coordination | Blocking malicious DNS records globally |

    | Victim notification | Organizations informed of router compromise |

    | Credential revocation | Microsoft forced password resets on compromised accounts |

    | Intelligence sharing | Cross-border coordination between multiple law enforcement agencies |


    Private sector security companies provided critical intelligence analysis, traffic forensics, and victim identification that enabled authorities to map the campaign's scope and attribute it to APT28.


    ## Implications for Organizations


    The FrostArmada disruption underscores several critical security realities for modern enterprises:


    Network perimeter vulnerabilities remain a priority threat:

    Organizations cannot assume that foundational network devices are secure or immune from compromise. Routers, switches, and firewalls represent a critical attack surface that bypasses many endpoint-focused security controls.


    Microsoft 365 authentication is a high-value target:

    Cloud-first architectures mean that compromised cloud credentials provide attackers with extraordinary leverage, enabling persistent access, data exfiltration, and lateral movement across interconnected services.


    DNS hijacking is simple but devastatingly effective:

    Performing attacks at the DNS layer requires minimal sophistication but defeats certificate-based security, multi-factor authentication mechanisms that lack phishing resistance, and user awareness training.


    State-sponsored actors focus on cost-effective attack scalability:

    Rather than conducting targeted intrusions against individual organizations, adversaries like APT28 deploy broad campaigns affecting thousands of potential victims, expecting that some percentage will yield valuable access.


    ## Recommendations: Securing Against Router-Based Attacks


    Organizations should implement comprehensive controls addressing multiple layers:


    Immediate actions:


  • Audit router inventory: Document all network edge devices and their firmware versions
  • Apply security updates: Prioritize patches for MikroTik and TP-Link devices
  • Verify default credentials: Change all default administrative passwords on network devices
  • Enable logging: Activate DNS query logging on routers to detect suspicious redirects
  • Check DNS configuration: Verify DNS servers are pointing to expected infrastructure, not attacker-controlled systems

    • Medium-term mitigations:


  • Implement DNSSEC: Deploy DNS Security Extensions to cryptographically verify DNS responses
  • Enforce certificate pinning: Configure clients to verify HTTPS certificates against known-good values
  • Require phishing-resistant MFA: Implement FIDO2/WebAuthn instead of password+SMS or password+TOTP for cloud services
  • Network segmentation: Isolate critical systems from general network traffic to limit lateral movement
  • Monitor authentication anomalies: Alert on impossible travel, unusual login locations, and credential use from unfamiliar networks

    • Long-term strategy:


  • Zero-trust network architecture: Assume all network devices may be compromised; implement strict access controls throughout
  • Device attestation: Verify network device firmware integrity before allowing traffic
  • Continuous threat intelligence: Subscribe to feeds tracking APT28 activity and related campaigns
  • Incident response planning: Develop procedures for responding to suspected router compromise

    • ## Conclusion


    The successful disruption of FrostArmada demonstrates that law enforcement and private sector cooperation can effectively counter sophisticated state-sponsored campaigns. However, the operation also confirms that router-based attacks will remain a critical vulnerability for organizations worldwide. Security teams must elevate network device security from an afterthought to a core component of enterprise security architecture, recognizing that attackers will continue to exploit trust relationships and positioning of foundational infrastructure to achieve their objectives.