Full Report
The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed
Analysis Summary
# Threat Actor: APT28
## Attribution & Identity
* **Name:** APT28
* **Aliases:** Forest Blizzard (Microsoft), Fancy Bear, Pawn Storm, Sednit, Strontium.
* **Sub-groups:** Storm-2754.
* **Known Associations:** Attributed to the Russian General Staff Main Intelligence Directorate (GRU).
## Activity Summary
The article describes a large-scale cyber espionage campaign codenamed **FrostArmada**, active since at least May 2025. The operation focuses on exploiting insecure Small Office/Home Office (SOHO) routers to conduct global DNS hijacking and Adversary-in-the-Middle (AitM) attacks. By December 2025, the campaign had compromised over 18,000 unique IP addresses across 120 countries.
## Tactics, Techniques & Procedures
* **Exploitation of Edge Devices:** Gaining remote administrative access to insecure SOHO routers (specifically MikroTik and TP-Link).
* **DNS Hijacking:** Modifying router configurations to point to actor-controlled DNS resolvers.
* **Adversary-in-the-Middle (AitM):** Redirecting traffic for legitimate domains (e.g., Outlook on the web) to malicious nodes to intercept TLS connections.
* **Credential Harvesting:** Stealing authentication credentials, passwords, and OAuth tokens via fake login pages.
* **Reconnaissance & Triage:** Using DNS hijacking for persistent, passive visibility to identify high-value targets within a large pool of compromised users.
* **MITRE ATT&CK IDs (Inferred from context):**
* T1584.005 (Exploit Public-Facing Application)
* T1557 (Adversary-in-the-Middle)
* T1562.001 (Impair Defenses: Disable or Modify Tools)
* T1555 (Credentials from Web Browsers)
## Targeting
* **Sectors:** Government agencies, Ministries of Foreign Affairs, Law Enforcement, and third-party email/cloud service providers.
* **Geography:** Global coverage (120+ countries) with heavy concentrations in North Africa, Central America, Southeast Asia, and Europe.
* **Victims:** Over 200 organizations and 5,000 consumer devices; specifically noted at least three government organizations in Africa.
## Tools & Infrastructure
* **Hardware Targets:** MikroTik and TP-Link SOHO routers.
* **Infrastructure:**
* Malicious DNS Resolvers (actor-controlled).
* AitM Nodes (used for credential exfiltration).
* Spoofed domains for Microsoft Outlook on the web.
* C2/Discovery: Infrastructure linked to Lumen's Black Lotus Labs and Microsoft investigations (Disrupted by DOJ/FBI).
## Implications
This campaign represents the first time APT28 has been observed utilizing DNS hijacking at this scale to facilitate AitM attacks against TLS connections. By compromising upstream SOHO devices, the actor creates a "nearly invisible" attack vector that bypasses traditional enterprise perimeter security, allowing for persistent reconnaissance and credential theft with zero user interaction.
## Mitigations
* **Router Security:** Immediately update firmware for MikroTik and TP-Link routers and change default administrative credentials.
* **Remote Management:** Disable remote administrative access to router management interfaces from the internet.
* **DNS Protection:** Configure devices to use trusted, encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) and monitor for unauthorized changes to DHCP/DNS settings.
* **Multi-Factor Authentication (MFA):** Implement phishing-resistant MFA (e.g., FIDO2) to mitigate the impact of stolen credentials/tokens.
* **Monitoring:** Use endpoint detection and network monitoring to identify unusual login patterns or connections to known malicious infrastructure.