APT28 FrostArmada Campaign Hijacks MikroTik and TP-Link Routers for Global DNS Attacks

APT28, also known as Forest Blizzard and attributed to Russian military intelligence (GRU), is conducting a sophisticated DNS hijacking campaign codenamed FrostArmada. The operation exploits insecure MikroTik and TP-Link routers — commonly used in small-to-medium businesses and home offices — to intercept and redirect DNS queries. By controlling DNS resolution, the attackers can redirect users to malicious servers that harvest Microsoft account credentials and exfiltrate sensitive network data. The campaign is global in scope and targets organizations across multiple sectors. MikroTik and TP-Link routers are particularly vulnerable due to widespread use of default credentials, delayed firmware updates, and direct internet exposure. APT28 has a long history of targeting network infrastructure as part of broader espionage operations. Mitigations: Immediately change default credentials on all MikroTik and TP-Link routers. Apply the latest firmware updates. Disable remote management interfaces if not required. Implement DNS-over-HTTPS or DNS-over-TLS to prevent DNS hijacking. Monitor DNS query logs for anomalous redirections. Consider deploying enterprise-grade routers with centralized management and automatic security updates.