When attackers compromise your router's DNS settings, they gain the ability to intercept every authentication attempt from your organization to Microsoft 365 and other cloud services. This attack bypasses traditional endpoint security entirely because the manipulation occurs at the network infrastructure level, before traffic even leaves your premises. (Source: BleepingComputer)
The FrostArmada campaign demonstrates why this technique is devastatingly effective: at its peak in December 2025, the operation infected 18,000 devices across 120 countries. By targeting routers rather than individual workstations, attackers achieved massive scale with minimal effort.
Microsoft 365 represents an exceptionally valuable target for credential harvesting operations. Your organization's entire email archive, SharePoint documents, Teams conversations, and OneDrive files become accessible with a single set of compromised credentials. Unlike traditional phishing that requires users to click malicious links, DNS hijacking transparently redirects legitimate login attempts to attacker-controlled servers.
Key Insight: Unlike traditional phishing that requires users to click malicious links, DNS hijacking transparently redirects legitimate login attempts to attacker-controlled servers.
The business consequences manifest immediately. Once attackers capture OAuth tokens through the adversary-in-the-middle proxy, they maintain persistent access to your cloud environment even after password changes. They can download your intellectual property, monitor executive communications, and establish backdoors for future access. The compromised credentials also enable lateral movement into connected systems - your CRM, ERP, and other SaaS applications that trust Microsoft authentication.
What makes router-level DNS hijacking particularly dangerous is its invisibility to standard security tools. Your endpoint detection systems see nothing unusual because the compromise occurs upstream. Users connect to what appears to be the legitimate Microsoft login page, their browsers show the correct URL, and the only warning - an invalid TLS certificate popup - is easily dismissed as a minor technical glitch.
The automatic propagation through DHCP amplifies the damage exponentially. When your router pushes malicious DNS settings to every device on the network, laptops, smartphones, tablets, and IoT devices all begin routing authentication traffic through attacker infrastructure. A single compromised router effectively compromises your entire office.
Government agencies and organizations running on-premise email servers faced additional targeting beyond Microsoft 365. The attackers specifically pursued entities with self-hosted infrastructure, recognizing that these organizations often have weaker monitoring capabilities than cloud-native deployments. Three government organizations in Africa experienced direct server compromise through this technique.
The financial impact extends beyond immediate data theft. Organizations must assume total compromise of any accounts that authenticated during the infection window. This triggers mandatory breach notifications, forensic investigations, and potential regulatory penalties. The cleanup process requires resetting every credential, revoking all OAuth tokens, and implementing new authentication mechanisms - disrupting business operations for days or weeks.
Perhaps most concerning, the attack's opportunistic nature meant organizations became collateral damage regardless of their industry or size. The threat actors cast a wide net first, then filtered for high-value targets after establishing access. Your organization might not realize it's compromised until months later when stolen credentials appear on underground markets or enable targeted ransomware deployment.
Attack Chain: From Router Compromise to Credential Harvesting
The attack chain begins when threat actors exploit known vulnerabilities in internet-exposed routers, particularly targeting MikroTik and TP-Link devices, along with Nethesis firewall products and older Fortinet models. These initial compromises leverage unpatched security flaws that administrators often overlook in network edge devices, providing attackers with administrative access to critical routing infrastructure.
Key Insight: The attack chain begins when threat actors exploit known vulnerabilities in internet-exposed routers, particularly targeting MikroTik and TP-Link devices, along with Nethesis firewall products and older Fortinet models.
Once inside the router, APT28 operators execute a sophisticated two-stage operation through distinct operational clusters. The "Expansion team" focuses exclusively on device compromise and botnet growth, systematically scanning for vulnerable routers and establishing persistent backdoor access. This separation of duties demonstrates the industrial scale and specialization typical of state-sponsored operations.
The DNS manipulation phase represents the core technical innovation of FrostArmada. Rather than simply redirecting all traffic, the compromised routers receive carefully crafted DNS configuration changes that point to attacker-controlled virtual private servers functioning as malicious DNS resolvers. These modifications propagate automatically to internal devices through Dynamic Host Configuration Protocol (DHCP), ensuring every device on the network inherits the poisoned DNS settings without requiring individual compromise.
When victims attempt to authenticate with Microsoft 365 services, their DNS queries for authentication-related domains receive falsified responses. The malicious DNS resolver returns the IP address of an adversary-in-the-middle (AitM) proxy instead of Microsoft's legitimate servers. This redirection occurs transparently at the network level, before traffic encryption, making detection exceptionally difficult for endpoint security tools.
The credential harvesting mechanism operates through a sophisticated proxy service that maintains the appearance of normal authentication flows. Victims connect to what appears to be a legitimate Microsoft login page, with the AitM proxy relaying requests between the user and genuine Microsoft servers. The only visible indicator - an invalid TLS certificate warning - often gets dismissed as a minor technical glitch. Users who click through these warnings unknowingly expose their credentials and OAuth tokens to the attackers' collection infrastructure.
Microsoft's analysis reveals that Forest Blizzard implemented automated filtering processes to determine which DNS requests warranted interception. This selective targeting allowed the operation to scale massively while focusing collection efforts on high-value authentication attempts. The threat actor specifically targeted subdomains associated with Microsoft Outlook on the web, capturing both browser sessions and desktop application authentication.
The persistence mechanisms employed by FrostArmada ensure long-term access even after router reboots or configuration changes. The malware establishes communication channels with attacker infrastructure, receiving updates and new targeting directives remotely. This command-and-control architecture enables dynamic adjustment of DNS manipulation rules based on evolving intelligence requirements.
State-sponsored actors favor router compromise for several strategic advantages. Network infrastructure devices operate continuously with minimal monitoring, providing stable platforms for long-term operations. Their position at the network perimeter grants visibility into all outbound traffic, creating opportunities for bulk credential harvesting across entire organizations. Most critically, router-level attacks bypass endpoint detection systems entirely, as the manipulation occurs before traffic reaches monitored devices.
The campaign's focus on government organizations in Africa, Central America, and Southeast Asia, along with connections to a European national identity platform, illustrates how router compromise enables targeted espionage against specific geopolitical interests while maintaining plausible deniability through the use of compromised third-party infrastructure.
APT28 FrostArmada Attack Chain
Immediate Detection and Response Actions
Your security team needs to execute specific detection and response measures within distinct timeframes to counter the DNS hijacking threat. The following actions prioritize immediate containment while building toward comprehensive protection.
Immediate Actions (Within Hours)
Begin by auditing your DNS query logs for connections to the malicious VPS infrastructure identified in the campaign. Search specifically for DNS resolutions pointing to 64.120.31.96, 79.141.160.78, 23.106.120.119, 79.141.173.211, 185.117.89.32, and 185.237.166.55 in your SIEM or DNS monitoring tools. These addresses served as the adversary-in-the-middle proxies where credentials were harvested.
Deploy certificate pinning immediately for all corporate-managed devices through your MDM solution. This configuration will generate errors when traffic attempts to route through unauthorized proxy infrastructure, providing real-time alerts of interception attempts. Focus first on devices accessing Microsoft 365 services and authentication portals.
Review OAuth token usage patterns in your Microsoft 365 audit logs for anomalies. Look for tokens being used from unexpected geographic locations or multiple simultaneous sessions from different regions. The attackers collected valid OAuth tokens through their proxy service, allowing them to maintain persistent access even after password changes.
Short-Term Actions (Within Days)
Implement DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) protocols across your enterprise endpoints. This encryption prevents router-level DNS manipulation from affecting your systems, as encrypted DNS queries bypass local resolver settings entirely. Configure browsers and operating systems to use trusted DoH providers like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) as fallback resolvers.
Execute a comprehensive audit of all SOHO routers and firewall devices within your network perimeter. Check each device's DNS resolver configuration through its management interface, verifying that primary and secondary DNS servers match your ISP's legitimate addresses or your chosen enterprise DNS providers. Document any devices showing DNS servers you cannot identify.
Reset credentials for accounts that accessed authentication services during the campaign's active period (May 2025 through March 2026). Prioritize administrative accounts, service accounts with elevated privileges, and accounts belonging to users who dismissed TLS certificate warnings. Include both password resets and OAuth token revocations in this process.
Long-Term Actions (Within Weeks)
Establish automated firmware update processes for all network edge devices. Create an inventory tracking firmware versions for every router, firewall, and network appliance, with automated alerts when new security updates become available. Replace any devices that no longer receive vendor security updates, as these represent permanent vulnerabilities in your infrastructure.
Configure DNSSEC validation on all internal DNS resolvers to cryptographically verify DNS responses. This prevents acceptance of forged DNS records even if upstream resolvers become compromised. Deploy DNS filtering solutions that block queries to newly registered domains and known malicious infrastructure.
Implement network segmentation that isolates SOHO devices and guest networks from critical infrastructure. Configure firewall rules preventing direct internet exposure of management interfaces on all network devices. Require VPN access with multi-factor authentication for any remote administration of network infrastructure.
Why Government and Hosting Providers Are Primary Targets
Government agencies and hosting providers represent fundamentally different strategic objectives for state-sponsored actors like Russia's GRU Unit 26165. While government targets yield direct intelligence value through diplomatic communications, classified documents, and policy discussions, hosting providers offer something arguably more valuable: a single point of compromise that cascades into thousands of downstream victims.
The attribution to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165 reveals the strategic calculus behind these targeting decisions. State intelligence services operate under collection requirements that prioritize both immediate intelligence gains and long-term persistent access capabilities.
Consider the operational efficiency from the attacker's perspective. Compromising a single hosting provider's infrastructure grants potential access to every customer's authentication flow passing through those systems. When organizations host their own servers—as Microsoft observed with three African government entities—they become direct intelligence collection targets. But when those same organizations rely on shared hosting infrastructure, the compromise of that provider becomes a force multiplier for collection operations.
The campaign's focus on organizations operating their own servers reveals another layer of targeting logic. These entities typically maintain higher-value data stores and custom applications that cloud-native organizations have migrated elsewhere. Government agencies in North Africa, Central America, and Southeast Asia still running on-premise email servers represent intelligence goldmines: years of unencrypted communications, internal policy documents, and personnel records all residing on infrastructure that rarely receives the same security investment as cloud platforms.
The connection to a national identity platform in one European country demonstrates the ultimate prize in state-sponsored cyber operations: population-scale identity management systems. These platforms contain citizen identification numbers, biometric data, and authentication credentials that enable both mass surveillance and targeted impersonation operations.
Router-level DNS manipulation provides state actors with capabilities that traditional malware deployment cannot match. The persistence achieved through firmware-level compromise survives system reimaging, security tool deployment, and even hardware replacement of endpoint devices. As long as the compromised router remains in place, every device connecting through it becomes a potential intelligence source.
The automated filtering process APT28 implemented to determine "which DNS requests were of interest" reveals the industrial scale of modern intelligence collection. Rather than manually reviewing millions of intercepted credentials, the operation employed selective targeting algorithms to identify high-value accounts based on domain patterns, user behavior, and organizational affiliation.
This infrastructure-first approach explains why traditional endpoint detection and response solutions proved ineffective against FrostArmada. Security tools installed on workstations and servers cannot detect manipulation occurring at the network routing layer. The DNS responses appear legitimate to endpoint security because they originate from what the device believes is its authorized DNS resolver. The only indication—an invalid TLS certificate warning—occurs after the authentication credentials have already been transmitted to attacker-controlled infrastructure.
State intelligence services have recognized that router compromise provides deniable, scalable, and persistent access that surpasses traditional intrusion methods. The sharp activity increase following the UK NCSC's August 2025 report suggests these actors actively monitor defensive publications to refine their operations before detection capabilities mature.
Hardening Routers and DNS Infrastructure Against This Attack
Router hardening requires systematic configuration changes that directly counter the DNS manipulation techniques demonstrated in FrostArmada. Your first priority involves accessing the router's administrative interface and reviewing every DNS-related setting, particularly those controlling DHCP distribution of DNS servers to internal clients.
Begin by documenting your current DNS resolver configuration before making changes. Access your router's DNS settings panel and verify which servers appear in both primary and secondary resolver fields. The attackers modified these exact fields to point victims toward their malicious VPS infrastructure, so any unfamiliar IP addresses warrant immediate investigation.
Factory resets represent your most thorough remediation option when compromise is suspected. The FBI's court-authorized operation specifically reset DNS configurations to remove APT28's resolvers, but you can achieve the same result through a complete factory reset. After resetting, immediately change default credentials before reconnecting the device to your network - default passwords remain the primary vector for router compromises.
Configure your router to reject DNS responses from unauthorized sources by implementing strict DNS forwarding rules. Most enterprise-grade routers support DNS query validation features that verify responses originate from legitimate resolvers. Enable these protections and configure your router to drop DNS responses that arrive from IP addresses outside your configured resolver list.
The authentication weakness that enabled mass router compromise stems from exposed management interfaces accepting connections from the public internet. Disable WAN-side management access entirely - legitimate administrative tasks should only occur from within your trusted network. If remote management proves absolutely necessary, restrict access to specific source IP addresses and require VPN connectivity first.
Firmware vulnerabilities provided the initial foothold for router compromises in this campaign. Configure automatic firmware updates where supported, or establish monthly manual update checks for devices lacking auto-update capabilities. The campaign specifically targeted "older Fortinet models" and other end-of-life equipment that no longer received security patches, demonstrating why retirement schedules matter for network infrastructure.
DNS query logging creates the audit trail necessary for detecting hijacking attempts. Enable verbose DNS logging on your router and forward these logs to your SIEM platform. Monitor for sudden changes in query volume to specific authentication domains, particularly Microsoft's login infrastructure. Unusual spikes in DNS queries to authentication endpoints often indicate credential harvesting operations in progress.
Implement DNS filtering at the router level using reputation-based blocklists that prevent resolution of known malicious domains. While the campaign's VPS infrastructure has been neutralized, similar attacks will emerge using different IP addresses. DNS filtering services that update threat intelligence feeds automatically provide ongoing protection against evolving infrastructure.
For organizations managing multiple routers, deploy configuration management tools that enforce standardized DNS settings across your entire fleet. Centralized management prevents configuration drift and ensures security settings remain consistent. Regular configuration audits should verify that DNS resolvers match your approved list and that no unauthorized changes have occurred.
Test your DNS infrastructure's resistance to hijacking by conducting controlled validation exercises. Configure a test workstation to use your router's DHCP-provided DNS settings, then verify that authentication requests to Microsoft services resolve to legitimate Microsoft IP addresses, not the malicious infrastructure identified in this campaign.
Router Hardening Process Against DNS Manipulation
Why This Threat Evades Traditional Security Controls
Traditional security controls operate on a fundamental assumption: threats originate from or pass through monitored endpoints before reaching critical systems. Router-level DNS hijacking violates this assumption entirely, executing its compromise at the network's edge before traffic ever encounters your security stack.
Consider how enterprise detection typically works. Your endpoint detection and response (EDR) solutions monitor processes, file system changes, and network connections from the perspective of individual workstations and servers. When a user attempts to authenticate to Microsoft 365, the EDR sees an outbound HTTPS connection to what appears to be a legitimate Microsoft domain. The connection uses standard ports, follows expected authentication protocols, and terminates at an IP address that DNS resolution confirms as correct.
The deception occurs upstream, at the router level where DNS queries get answered. Your EDR never sees the DNS manipulation because it happens before the endpoint makes its connection. The router quietly substitutes the attacker's VPS address when responding to DNS queries for authentication domains. From the endpoint's perspective, everything appears normal - it asked for Microsoft's IP address and received an answer from its configured DNS server.
Network intrusion detection systems face similar limitations. IDS platforms analyze traffic patterns, looking for known attack signatures or anomalous behavior. But DNS traffic represents one of the most challenging protocols to monitor effectively. Organizations generate millions of DNS queries daily, making baseline establishment nearly impossible. A query for a Microsoft authentication subdomain looks identical whether it returns a legitimate or malicious IP address. The protocol functions correctly; only the returned data differs.
Even sophisticated security operations centers struggle with this blind spot. DNS queries typically flow through recursive resolvers, creating multiple hops between the initial request and authoritative answer. Security teams rarely have visibility into every resolver in this chain, especially when queries traverse internet service provider infrastructure. The malicious DNS responses in this campaign appeared to originate from the organization's own router - a trusted source that security tools explicitly whitelist to prevent false positives.
Router devices themselves compound the detection challenge through their limited security capabilities. Consumer and small business routers lack comprehensive logging functionality. They don't generate security events when DNS settings change, don't alert on configuration modifications, and rarely support integration with centralized logging platforms. The devices operate as black boxes at the network perimeter, performing critical routing functions without security oversight.
The authentication proxy technique further masks malicious activity. Rather than redirecting victims to obviously fraudulent sites, the attackers operated transparent proxies that forwarded legitimate traffic while harvesting credentials. Users connected to real Microsoft services through the attacker's infrastructure. Response times might increase slightly, but the actual authentication succeeded. Security tools monitoring for failed authentication attempts or suspicious login patterns saw nothing unusual - the logins succeeded using valid credentials and OAuth tokens.
This architectural reality explains why organizations with mature security programs fell victim to these attacks. The compromise occurred in the gap between network infrastructure and endpoint protection, exploiting the trust relationship between internal devices and their default gateway. Traditional security investments focus on protecting data and applications, not the fundamental network services that enable their operation.
