APT28 FrostArmada Attack Campaign

A sophisticated cyber espionage operation attributed to the Russia-linked threat group APT28, also known as Forest Blizzard, has leveraged vulnerable network infrastructure to conduct large-scale surveillance. Active since at least May 2025, the campaign, codenamed FrostArmada, focused on compromising insecure MikroTik and TP-Link routers, transforming them into malicious assets under attacker control.

This operation primarily targeted home and small office (SOHO) devices, exploiting weak configurations to manipulate DNS settings. By doing so, attackers were able to intercept and redirect network traffic, enabling passive and largely undetectable data collection.

DNS Hijacking: Turning Routers into Silent Surveillance Tools

At the core of the campaign lies DNS hijacking, a technique that allowed attackers to reroute legitimate traffic through malicious infrastructure. Once a router was compromised, its DNS settings were altered to point to attacker-controlled servers. This manipulation enabled interception of sensitive data without requiring any user interaction.

When users attempted to access targeted domains, their requests were silently redirected to Attacker-in-the-Middle (AitM) nodes. These nodes captured authentication data, including login credentials, and transmitted it back to the attackers. The process was highly covert, making detection extremely difficult.

Attack Chain Breakdown: From Exploitation to Credential Theft

The attack lifecycle followed a structured sequence designed to maximize data collection while minimizing detection:

• Initial compromise of SOHO routers through vulnerabilities or weak configurations
• Unauthorized administrative access and modification of DNS settings
• Redirection of DNS queries to malicious, actor-controlled resolvers
• Interception of user traffic via AitM infrastructure
• Harvesting and exfiltration of credentials, including passwords and OAuth tokens

This method enabled attackers to monitor login attempts to email platforms and web services, including instances involving Microsoft Outlook on the web and other non-Microsoft-hosted systems.

Global Reach and Strategic Targeting

The campaign expanded significantly over time. While it began in a limited capacity in May 2025, widespread exploitation efforts escalated by early August. At its peak in December 2025, more than 18,000 unique IP addresses across at least 120 countries were observed communicating with attacker-controlled infrastructure.

Primary targets included:

• Government institutions such as foreign affairs ministries and law enforcement agencies
• Third-party email and cloud service providers
• Organizations across North Africa, Central America, Southeast Asia, and Europe

More than 200 organizations and approximately 5,000 consumer devices were impacted, demonstrating the scale and reach of the operation.

Exploited Vulnerabilities and Infrastructure Tactics

The attackers leveraged known vulnerabilities to gain access to network devices. Notably, TP-Link WR841N routers were exploited using CVE-2023-50224, an authentication bypass flaw that allowed credential extraction via specially crafted HTTP GET requests.

Additionally, a secondary infrastructure cluster was identified, responsible for relaying DNS traffic from compromised routers to remote attacker-controlled servers. This cluster also conducted targeted, interactive operations against select MikroTik routers, particularly in Ukraine.

Advanced Espionage Through Edge Device Compromise

This campaign marks a significant evolution in APT28's operational tactics. For the first time, the group has demonstrated the ability to conduct DNS hijacking at scale to facilitate AitM attacks against Transport Layer Security (TLS) connections.

By compromising edge devices, often less monitored than enterprise systems, attackers gained upstream visibility into network traffic. This strategic positioning allowed them to identify high-value targets and selectively focus on individuals or organizations of intelligence interest.

The operation is assessed to be opportunistic in nature, initially casting a wide net and progressively narrowing targets based on the value of intercepted data.

Operational Disruption and Ongoing Risks

The malicious infrastructure supporting FrostArmada has been dismantled through a coordinated effort involving the U.S. Department of Justice, the Federal Bureau of Investigation, and international partners. Despite this disruption, the techniques employed highlight persistent risks associated with unsecured network devices.

While the campaign has primarily focused on intelligence gathering, the use of AitM positioning presents broader threats. Such access could enable additional malicious activities, including malware deployment or denial-of-service attacks, significantly increasing the potential impact on targeted organizations.

Conclusion: A Wake-Up Call for Network Security

The FrostArmada campaign underscores the critical importance of securing edge devices within network environments. Exploitation of routers and DNS infrastructure provides attackers with a powerful and stealthy means of surveillance, often bypassing traditional security controls.

Organizations and individuals alike must prioritize proper configuration, timely patching, and continuous monitoring of network devices to mitigate the risks posed by such advanced threat actors.