APT28 Disrupts Router DNS to Steal Microsoft Credentials in Global Campaign

Severity: High (Score: 78.0)

Sources: Bloomberg, Bleepingcomputer, Infosecurity-Magazine, Ncsc.Uk, Feeds2.Feedburner

Summary

An international law enforcement operation has disrupted APT28, a Russian hacking group linked to the GRU, which hijacked the DNS settings of vulnerable MikroTik and TP-Link routers to steal Microsoft account credentials. The campaign, known as FrostArmada, peaked in December 2025, infecting approximately 18,000 devices across 120 countries, primarily targeting government agencies and IT providers. APT28 exploited vulnerabilities in routers, including CVE-2023-50224, to redirect DNS queries to attacker-controlled servers, enabling adversary-in-the-middle (AitM) attacks. Victims were often unaware, as the only indication of compromise was a warning for an invalid TLS certificate. The operation was supported by Microsoft and involved cooperation with the FBI and other international agencies to take down the malicious infrastructure. The UK’s National Cyber Security Centre (NCSC) also issued a warning about ongoing threats from APT28, emphasizing the need for organizations to secure their routers against such attacks. Key Points: • APT28 hijacked DNS settings of routers to steal Microsoft credentials. • The campaign infected 18,000 devices globally, targeting government and IT sectors. • CVE-2023-50224 was exploited in these attacks, allowing unauthorized access.

Key Entities

• Apt28 (apt_group)
• Data Breach (attack_type)
• Man-in-the-Middle (attack_type)
• Russia (country)
• CVE-2023-50224 (cve)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)