An international law enforcement operation with private partners disrupted FrostArmada, an APT28 campaign that hijacked MikroTik and TP‑Link SOHO routers to redirect DNS traffic and steal Microsoft account credentials and OAuth tokens. Microsoft and Lumen’s Black Lotus Labs mapped the activity and, with the FBI, the U.S. Department of Justice, and Polish authorities, took the malicious infrastructure offline. #FrostArmada #APT28
Keypoints
- Law enforcement, Microsoft, and Lumen disrupted FrostArmada’s DNS hijacking infrastructure.
- APT28 (aka Fancy Bear, Strontium, Forest Blizzard) is linked to Russia’s GRU unit 26165.
- Attackers compromised MikroTik and TP‑Link SOHO routers (and some Nethesis and older Fortinet devices) to push malicious DNS via DHCP.
- Hijacked DNS redirected authentication requests to adversary‑in‑the‑middle proxies that captured Microsoft logins and OAuth tokens while users saw only invalid TLS warnings.
- Defensive steps include certificate pinning via MDM, patching and removing EOL devices, and using provided IoCs to detect the malicious VPS infrastructure.