Skip to main content
Emerging ThreatsMalware & Ransomware

Law Enforcement Disrupts APT28's Router DNS Hijack Operation

Law Enforcement Disrupts APT28's Router DNS Hijack Operation

How do you stop an invisible thief that reroutes the traffic inside your own home network and waits to harvest the keys to your cloud accounts? An international coalition of law enforcement authorities and private companies says it has answered that question — at least for one campaign.

What happened: a coordinated disruption

Authorities, working with private-sector partners, conducted an international operation that disrupted a campaign known as FrostArmada. The campaign has been described in the source material as an APT28 operation that hijacked local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials, including logins for Microsoft 365.

How the campaign operated

According to the reported account, FrostArmada intercepted or redirected local router traffic on devices made by MikroTik and TP-Link. The objective of that interception was to capture Microsoft account credentials — credentials used to access Microsoft 365 and related services. The operation targeted the flow of traffic at the router level to obtain those logins.

Why the disruption matters

  • Immediate mitigation: The reported disruption addresses an active campaign that targeted local router traffic to harvest Microsoft account credentials. By disrupting FrostArmada, the operation sought to stop this specific vector of credential theft.
  • Cross-sector collaboration: The action combined law enforcement authorities and private companies, demonstrating cooperation across public and private sectors to tackle network-level attacks.
  • Attack surface highlighted: The campaign focused on hijacking traffic on widely used consumer and small-business routers. That focus underscores the potential impact when network infrastructure is manipulated to intercept account credentials for cloud services such as Microsoft 365.

Perspectives and open questions

Technologists will view the episode as a reminder that devices on the edge of networks can be leveraged to reach cloud accounts — an operational link from compromised routers to compromised credentials. Policymakers may see an illustration of how international cooperation and private-sector partnerships can be applied against transnational cyber campaigns. Users and organizations will likely take away the need to consider how local network devices factor into account-security postures.

Several practical questions remain in the public account: the report describes a disruption of FrostArmada but does not say whether the underlying vulnerabilities exploited by the campaign have been fully patched or if additional related infrastructure remains active. The scale of infections, the identities of those affected, and next steps for affected device owners are not detailed in the available summary.

The disruption is a clear tactical win against a specific campaign that hijacked router traffic to steal Microsoft account credentials. Yet it also serves as a reminder that attackers who combine network-level control with credential-capture tactics can turn ordinary routing devices into vectors for cloud account theft. As defenders tally the results of the operation, one question persists: how many more campaigns are waiting for similar opportunities on the devices that sit between users and the internet?

https://www.bleepingcomputer.com/news/security/authorities-disrupt-dns-hijacks-used-to-steal-microsoft-365-logins/