Back

APT28 Hijacks Routers to Steal Credentials in Global Cyber Espionage Campaign

Severity: High (Score: 78.0)

Sources: Ground.News, Heise.De, Infosecurity-Magazine, Globalbankingandfinance, Ukrinform

Summary

APT28, a Russian state-sponsored hacking group, has been exploiting vulnerabilities in consumer and small office routers, specifically targeting MikroTik and TP-Link models, to hijack DNS settings and redirect internet traffic to their servers. This campaign, known as FrostArmada, has affected over 18,000 devices across 120 countries, including government and law enforcement agencies. The attackers utilize the CVE-2023-50224 vulnerability to gain access to these routers, allowing them to conduct adversary-in-the-middle attacks to steal login credentials and authentication tokens. The UK's National Cyber Security Centre (NCSC) and Microsoft have collaborated to disrupt this operation, which has been ongoing since at least August 2025. The NCSC has issued warnings and guidance for organizations to mitigate these risks by updating their devices and using modern security practices. The campaign exemplifies the exploitation of outdated technology and the need for improved cybersecurity measures. Key Points: • APT28 exploits vulnerabilities in MikroTik and TP-Link routers to hijack DNS settings. • Over 18,000 devices across 120 countries have been compromised in the FrostArmada campaign. • The campaign utilizes CVE-2023-50224, allowing adversary-in-the-middle attacks to steal credentials.

Key Entities

  • Apt28 (apt_group)
  • APT 28 (apt_group)
  • Fancy Bear (apt_group)
  • Forest Blizzard (apt_group)
  • GRU (apt_group)
  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Malware (attack_type)
  • Man-in-the-Middle (attack_type)
  • Phishing (attack_type)
  • FrostArmada (campaign)
  • Operation Masquerade (campaign)
  • Democratic National Committee (company)
  • Democratic Party (company)
  • German Air Traffic Control (company)
  • German Bundestag (company)
  • German Parliament (company)
  • MikroTik (platform)
  • MicroTik (platform)
  • France (country)
  • Germany (country)
  • Romania (country)
  • Russia (country)
  • Ukraine (country)
  • CVE-2023-50224 (cve)
  • Government (industry)
  • Jaguar Tooth (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1566 - Phishing (mitre_attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed