Authorities Disrupt FrostArmada DNS Hijacks Targeting Microsoft
High severity — significant development or major threat actor activity
Basically, hackers changed router settings to steal Microsoft logins from users worldwide.
A major international operation has disrupted the FrostArmada campaign, which hijacked routers to steal Microsoft 365 logins. This attack affected thousands of devices worldwide, primarily targeting government and IT sectors. Authorities are now working to secure the compromised infrastructure and protect users from future threats.
What Happened
An international operation led by law enforcement has successfully disrupted FrostArmada, a campaign linked to the Russian threat group APT28 (also known as Fancy Bear). This operation targeted MikroTik and TP-Link routers, hijacking local traffic to steal Microsoft account credentials. The campaign was particularly active in late 2025, affecting approximately 18,000 devices across 120 countries.
Who's Affected
The primary targets of this attack included government agencies, law enforcement, IT providers, and organizations managing their own servers. The compromised routers were used to redirect traffic intended for Microsoft services, enabling attackers to capture sensitive login information.
How It Works
The attackers compromised routers by altering their DNS settings to point to malicious servers they controlled. This manipulation allowed them to intercept authentication traffic directed at Microsoft services. Victims would often see no signs of the attack, except for potential warnings about invalid TLS certificates, which could easily be ignored.
Tactics & Techniques
APT28 utilized sophisticated methods to execute these attacks, including the following:
- DNS Hijacking: By changing DNS settings, they redirected users to their own servers.
- Adversary-in-the-Middle (AiTM): They acted as intermediaries, collecting data from users as they accessed legitimate services.
- Dynamic Host Configuration Protocol (DHCP): The attackers pushed new DNS settings automatically to internal devices, making detection difficult.
Defensive Measures
In response to this threat, Microsoft collaborated with Black Lotus Labs and other organizations to identify affected users and take down the malicious infrastructure. Recommendations for users include:
- Implementing certificate pinning on corporate devices to prevent interception.
- Patching routers and reducing exposure on the public web.
- Removing outdated equipment that may be vulnerable to such attacks.
Conclusion
The disruption of the FrostArmada campaign illustrates the ongoing threat posed by APT28 and similar groups. As cyber threats evolve, it is crucial for organizations to remain vigilant and adopt robust security measures to protect sensitive information.
🔍 How to Check If You're Affected
- 1.Check router DNS settings for unauthorized changes.
- 2.Monitor for unusual traffic patterns or unexpected certificate warnings.
- 3.Implement logging to track DNS queries and responses.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The FrostArmada campaign highlights the importance of securing network infrastructure against DNS hijacking tactics employed by sophisticated threat actors.