Russia-linked APT28 (aka Forest Blizzard) conducted a campaign codenamed FrostArmada that compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and hijack local network traffic for passive collection and AiTM credential theft. Active since May 2025 and peaking in December with communications from over 18,000 IPs across 120 countries, the operation targeted government agencies and service providers and has been attributed to APT28/Storm-2754 by Microsoft before its infrastructure was disrupted by a joint DOJ/FBI international action. #APT28 #FrostArmada
Keypoints
- APT28 exploited insecure MikroTik and TP‑Link routers to modify DNS settings and hijack DNS traffic.
- The FrostArmada campaign has been active since May 2025 and escalated in August, peaking in December with over 18,000 IPs from 120 countries.
- Compromised routers redirected requests to actor‑controlled AitM nodes where passwords, OAuth tokens, and other credentials were harvested.
- Microsoft attributed the activity to APT28/Storm‑2754, and the U.K. NCSC described the operations as opportunistic triage for intelligence targets.
- The malicious infrastructure was disrupted in a multinational operation involving the DOJ, FBI, and international partners, though AitM positions could enable further attacks.
Read More: https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html