APT28 Hijacks SOHO Routers - Microsoft 365 Credentials

What Happened

The Russia-linked advanced persistent threat group APT28 (also tracked as Forest Blizzard or Fancy Bear) has been conducting a global campaign, dubbed “FrostArmada,” to compromise small office/home office (SOHO) routers. The threat actors targeted insecure MikroTik and TP-Link devices, modifying their Domain Name System (DNS) settings. This international operation, involving law enforcement and private sector partners, has now been disrupted. The primary objective was to hijack local network traffic to steal Microsoft 365 login credentials from users.

Why It Matters

This campaign represents a significant evolution in APT28’s tactics, shifting focus from direct endpoint exploitation to compromising foundational network infrastructure. By targeting SOHO routers, which are often overlooked in corporate security postures, the group gained a stealthy foothold to intercept traffic from entire networks. The theft of Microsoft 365 credentials provides a direct path to corporate email, data, and cloud services, enabling further espionage or ransomware deployment. This incident underscores that network edge devices are critical assets requiring enterprise-grade security.

Technical Details

APT28 exploited routers that were either improperly secured or running outdated firmware, though no specific CVE was cited in this campaign. After gaining access, the actors reconfigured the router’s DNS settings. Instead of pointing to legitimate DNS servers, the devices were set to use attacker-controlled DNS servers. This allowed the group to perform DNS hijacking, redirecting users attempting to access legitimate Microsoft 365 login pages (like login.microsoftonline.com) to sophisticated phishing proxies. These proxies harvested usernames, passwords, and session cookies while forwarding the traffic to the real service, making the interception nearly invisible to end-users.

Immediate Risk

The immediate risk remains HIGH for organizations with remote workers or branch offices using consumer-grade SOHO routers. While the infrastructure for this specific campaign has been disrupted, the compromised routers likely remain infected with modified configurations. Any credentials stolen prior to the takedown are in APT28’s possession and could be used in follow-on attacks. Organizations must assume that Microsoft 365 credentials from affected networks are compromised. The urgency is to audit and reset all network infrastructure, not just endpoints, as detailed in our advisory on Azure Kubernetes Privilege Escalation (CVE-2026-33105) - Patch Now.

Security Insight

This campaign highlights a dangerous asymmetry: attackers are treating SOHO routers with the strategic importance of enterprise servers, while defenders often relegate them to an “IT appliance” status. Similar to how threat actors increasingly exploit supply chain and cloud misconfigurations – as seen in recent Microsoft Command Injection flaws – they are now weaponizing the trust users place in their local network. The defensive takeaway is not just to patch routers, but to segment them. Treat the SOHO router network as an untrusted zone, mandating VPN use for all corporate resource access, effectively nullifying the value of local DNS hijacking.

Further Reading

• Azure Kubernetes Privilege Escalation (CVE-2026-33105) - Patch Now
• Microsoft Command Injection (CVE-2026-32194) - Patch Now
• Microsoft Command Injection (CVE-2026-32191) - Patch Now
• Latest Security News
• CVE Advisories
• Data Breach Reports