An international law enforcement effort, supported by major private cybersecurity firms, has disrupted a large-scale cyber-espionage campaign dubbed “FrostArmada” attributed to the Russian state-linked hacking group APT28.
Also known as Fancy Bear and Forest Blizzard, APT28 is believed to be affiliated with Russia’s military intelligence. The group orchestrated a sophisticated operation that hijacked internet traffic by compromising small office and home (SOHO) routers, particularly devices from MikroTik and TP-Link.
Attackers modified the routers’ DNS settings, redirecting traffic through malicious servers under their control. This allowed them to intercept authentication requests and harvest login credentials and OAuth tokens linked to Microsoft accounts, including services like Microsoft 365 and Outlook.
At its peak in December 2025, the campaign had infected approximately 18,000 devices across 120 countries. Targets included government agencies, law enforcement bodies, IT providers, and organizations managing their own infrastructure.
The disruption effort involved support from Ukrainian authorities, the Federal Bureau of Investigation, the US Department of Justice, and the Polish government.
According to Microsoft and Lumen’s Black Lotus Labs, compromised routers received automated DNS changes via DHCP, redirecting users to attacker-controlled proxy servers. Victims would typically only see a warning about an invalid security certificate allowing attackers to capture sensitive data from unencrypted sessions.
Researchers say FrostArmada operated in two coordinated units: one focused on expanding the botnet by infecting new devices, and another dedicated to intercepting traffic and collecting credentials.
The campaign intensified after a 2025 warning from the UK’s National Cyber Security Centre highlighted similar tactics used by APT28 to target Microsoft-related services. In some cases, the attackers also infiltrated servers belonging to government organizations in Africa and even interacted with a national identity platform in Europe.