FrostArmada: Unveiling APT28's DNS Hijacking Tactics Targeting Microsoft 365
Executive Summary
In April 2026, an international law enforcement operation, in collaboration with private companies, successfully disrupted 'FrostArmada,' a cyber espionage campaign orchestrated by the Russian state-sponsored group APT28 (also known as Fancy Bear or Forest Blizzard). The campaign involved compromising small office/home office (SOHO) routers, primarily from MikroTik and TP-Link, to alter DNS settings and redirect traffic through attacker-controlled servers. This allowed APT28 to intercept authentication traffic and steal Microsoft 365 credentials and OAuth tokens. At its peak in December 2025, FrostArmada infected 18,000 devices across 120 countries, targeting government agencies, law enforcement, IT and hosting providers, and organizations operating their own servers. The operation to neutralize the malicious infrastructure was supported by Microsoft, Lumen's Black Lotus Labs, the FBI, the U.S. Department of Justice, and the Polish government. (bleepingcomputer.com)
This incident underscores the evolving tactics of state-sponsored threat actors in exploiting network infrastructure vulnerabilities to conduct large-scale credential theft. The use of DNS hijacking via compromised routers highlights the need for organizations to secure network devices, implement robust monitoring, and adopt zero-trust principles to mitigate such sophisticated attacks.
Why This Matters Now
The FrostArmada campaign demonstrates the increasing sophistication of state-sponsored cyber threats targeting critical infrastructure. Organizations must prioritize securing network devices and implementing zero-trust architectures to defend against such advanced attacks.
Attack Path Analysis
APT28 compromised SOHO routers to hijack DNS settings, redirecting users to malicious servers that intercepted Microsoft 365 credentials. This allowed the attackers to escalate privileges by capturing OAuth tokens, facilitating unauthorized access to sensitive data. They then moved laterally within networks by exploiting compromised credentials and misconfigured access controls. Command and control were maintained through the hijacked routers, enabling persistent communication with infected systems. Exfiltration of sensitive information was achieved via the adversary-in-the-middle setup, with data sent to attacker-controlled servers. The impact included unauthorized access to confidential information, potential data manipulation, and broader network compromise.
Kill Chain Progression
Initial Compromise
Description
APT28 exploited vulnerabilities in MikroTik and TP-Link SOHO routers to gain unauthorized access and modify DNS settings.
Related CVEs
CVE-2023-30799
CVSS 7.2MikroTik RouterOS before 6.49.7 and 7.x before 7.2.3 allows remote attackers to execute arbitrary code via a crafted request to the web interface.
Affected Products:
MikroTik RouterOS – < 6.49.7, < 7.2.3
Exploit Status:
exploited in the wildCVE-2023-1389
CVSS 8.8TP-Link Archer AX21 firmware before 1.1.4 Build 20230219 allows remote attackers to execute arbitrary code via a crafted request to the web interface.
Affected Products:
TP-Link Archer AX21 – < 1.1.4 Build 20230219
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
Data Manipulation: Stored Data Manipulation
Acquire Infrastructure: DNS Server
Compromise Infrastructure: DNS Server
Application Layer Protocol: DNS
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
DNS hijacking campaign specifically targeted government agencies, compromising Microsoft 365 authentication and OAuth tokens through router-level traffic interception and certificate spoofing attacks.
Law Enforcement
APT28's DNS hijacking operation directly targeted law enforcement organizations, stealing Microsoft credentials through compromised SOHO routers and adversary-in-the-middle proxy attacks.
Information Technology/IT
IT providers face critical exposure as FrostArmada campaign compromised MikroTik/TP-Link routers, hijacking DNS settings to intercept authentication traffic and steal Microsoft 365 credentials.
Telecommunications
Hosting providers were primary targets of DNS hijacking attacks, with compromised routers redirecting authentication traffic to malicious VPS infrastructure for credential theft operations.
Sources
- Authorities disrupt router DNS hijacks used to steal Microsoft 365 loginshttps://www.bleepingcomputer.com/news/security/authorities-disrupt-dns-hijacks-used-to-steal-microsoft-365-logins/Verified
- FrostArmada: All thriller, no (malware) fillerhttps://www.lumen.com/blog-and-news/en-us/frostarmada-forest-blizzard-dns-hijackingVerified
- SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attackshttps://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/Verified
- Justice Department Conducts Court-Authorized Disruption of DNS Hijacking Network Controlled by a Russian Military Intelligence Unithttps://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-dns-hijacking-network-controlledVerified
- APT28 exploit routers to enable DNS hijacking operationshttps://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operationsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to exploit inter-workload communications and reducing the blast radius of such breaches.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit inter-workload communications would likely be constrained, reducing the scope of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, reducing the scope of unauthorized access.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain command and control would likely be constrained, reducing the scope of persistent communication.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data would likely be constrained, reducing the scope of data loss.
The attacker's ability to cause widespread impact would likely be constrained, reducing the scope of network compromise.
Impact at a Glance
Affected Business Functions
- Email Services
- User Authentication
- Network Security
Estimated downtime: 7 days
Estimated loss: $500,000
Microsoft account credentials and OAuth tokens of affected users.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access based on identity and context.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to unusual network activities promptly.
- • Utilize Encrypted Traffic (HPE) to secure data in transit, mitigating risks associated with unencrypted communications.
- • Ensure Multicloud Visibility & Control to maintain comprehensive oversight and governance across all cloud environments.
