Authorities disrupt router DNS hijacks used to steal Microsoft 365 logins

An international law enforcement operation has disrupted FrostArmada, an APT28 campaign targeting MikroTik and TP-Link routers. The threat actors hijacked local DNS traffic to redirect users to malicious servers, enabling theft of Microsoft 365 and Microsoft account credentials. This campaign leveraged compromised SOHO (Small Office/Home Office) routers as proxies to intercept authentication data. The operation, conducted in partnership with private companies, represents ongoing efforts to counter state-sponsored cyber threats targeting critical infrastructure. Organizations using affected router models should verify DNS configurations, apply firmware updates, reset administrator credentials, and audit Microsoft 365 login logs for unauthorized access.

An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. [...]

An international law enforcement operation has disrupted FrostArmada, an APT28 campaign targeting MikroTik and TP-Link routers. The threat actors hijacked local DNS traffic to redirect users to malicious servers, enabling theft of Microsoft 365 and Microsoft account credentials. This campaign leveraged compromised SOHO (Small Office/Home Office) routers as proxies to intercept authentication data. The operation, conducted in partnership with private companies, represents ongoing efforts to counter state-sponsored cyber threats targeting critical infrastructure. Organizations using affected router models should verify DNS configurations, apply firmware updates, reset administrator credentials, and audit Microsoft 365 login logs for unauthorized access. An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. [...] An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. [...]