The FBI recently announced that, with the support of international partners, it has successfully dismantled 'FrostArmada,' a malicious network infrastructure operated by the Russian hacking group APT28, also known as Fancy Bear. The group hijacked Small Office/Home Office (SOHO) routers to intercept user login traffic, enabling them to steal Microsoft 365 account credentials and OAuth tokens.
The operation was conducted by the FBI and the U.S. Department of Justice in coordination with the Polish government, with technical support from Microsoft and Lumen Technologies’ Black Lotus Labs (BLL). Investigations revealed that the hacking group primarily targeted routers from brands such as MikroTik and TP-Link, while also compromising some Nethesis devices and older Fortinet firewalls.
The Mechanics of Router DNS Hijacking
APT28’s attack method involved modifying the Domain Name System (DNS) settings of victim routers to point toward virtual private servers (VPS) controlled by the hackers. When a device connected to an infected router attempted to access a legitimate website, the DNS resolution was redirected to the attackers’ proxy server, facilitating an 'Adversary-in-the-Middle' (AitM) attack.
Researchers at Black Lotus Labs noted that the attack process was highly covert for the average user. The only potential sign of compromise was a browser warning regarding an insecure TLS certificate. If a user ignored these warnings and proceeded, the hackers could easily intercept their unencrypted internet traffic.
At the peak of its activity in December 2025, FrostArmada had infected approximately 18,000 devices across 120 countries. The victims included government agencies, law enforcement departments, IT service providers, and organizations running their own servers. Reports indicate that the hacking group operated with a clear division of labor: one team focused on compromising devices to expand the botnet, while another specialized in conducting AitM attacks and harvesting credentials.
To neutralize the threat, the FBI executed a court-authorized technical operation. By sending reset commands to the infected routers, law enforcement forced the devices to revert to the legitimate DNS resolvers provided by internet service providers, effectively severing the hackers' communication links. The Department of Justice stated that this action not only remediated the compromised devices but also allowed for the collection of critical evidence for ongoing investigations.
