Ethical Hacking News
Russian state-linked APT28 (Forest Blizzard) has launched a sophisticated DNS hijacking campaign, leveraging insecure MikroTik and TP-Link routers to compromise edge devices worldwide. The FrostArmada operation targets organizations in North Africa, Central America, Southeast Asia, and Europe, compromising over 18,000 unique IP addresses from more than 120 countries. This cyber espionage campaign highlights the growing threat of APT28's efforts to exploit edge devices for espionage purposes.
A sophisticated DNS hijacking campaign, codenamed FrostArmada, has been launched by Russian state-linked APT28 (Forest Blizzard) to compromise edge devices worldwide.The campaign exploits insecure MikroTik and TP-Link routers, allowing Forest Blizzard to hijack DNS traffic and collect network data from targeted organizations.The operation has affected over 18,000 unique IP addresses from more than 120 countries, including North African, Central American, Southeast Asian, and European nations.The campaign primarily centers on exploiting CVE-2023-50224, an authentication bypass vulnerability in MikroTik and TP-Link routers.Forest Blizzard's goal is to establish a network of controlled infrastructure for espionage purposes, with the potential for future uses such as malware deployment or denial of service.
The threat landscape has recently been altered by a sophisticated cyber espionage campaign, undertaken by Russian state-linked Advanced Persistent Threat (APT) group, APT28, also known as Forest Blizzard. The group's latest operation, codenamed FrostArmada, exploits insecure MikroTik and TP-Link routers in an unprecedented manner to hijack DNS traffic, facilitating the passive collection of network data from organizations worldwide.
The large-scale exploitation campaign has garnered significant attention from cybersecurity experts and researchers alike, who have been studying its dynamics and impact on global networks. According to Lumen's Black Lotus Labs, this FrostArmada operation is a prime example of APT28's ongoing efforts to compromise edge devices and establish an extensive network of controlled infrastructure that can be used for espionage purposes.
In the midst of this cyber espionage campaign, it has come to light that APT28 has successfully compromised over 18,000 unique IP addresses from more than 120 countries. These affected nations include North African, Central American, Southeast Asian, and European countries, where government agencies, law enforcement bodies, third-party email and cloud service providers, have been specifically targeted.
According to Microsoft's Threat Intelligence team, the FrostArmada operation is believed to have commenced in May 2025 in a limited capacity. However, its widespread exploitation of SOHO routers followed in early August, marking a significant escalation in APT28's DNS hijacking efforts. The operation primarily centers on exploiting vulnerabilities in MikroTik and TP-Link routers to turn them into malicious infrastructure under the control of Forest Blizzard.
"It is believed that the DNS hijacking operations are opportunistic in nature," explained Microsoft's Redmond, "with the actor gaining visibility of a large pool of candidate target users then filtering down users at each stage in the exploitation chain to triage for victims of likely intelligence value."
The FrostArmada operation entails APT28 exploiting CVE-2023-50224 (CVSS score: 6.5), an authentication bypass vulnerability that could be used to extract stored credentials via specially crafted HTTP GET requests. This specific vulnerability is utilized by Forest Blizzard in its exploitation campaign, leveraging the vulnerabilities present within MikroTik and TP-Link routers.
The FrostArmada operation has garnered significant attention from cybersecurity experts and researchers alike due to the scope of APT28's efforts to compromise edge devices worldwide. According to Black Lotus Labs, this large-scale DNS hijacking campaign is not only an example of APT28's ongoing cyber espionage activities but also highlights a broader trend in which threat actors are increasingly targeting edge devices.
"It allows Forest Blizzard to conduct DNS collection on sensitive organizations worldwide and is consistent with the actor's longstanding remit to collect espionage against priority intelligence targets," said Microsoft. "Although we have only observed Forest Blizzard utilizing their DNS hijacking campaign for information collection, an attacker could use an AiTM position for additional outcomes, such as malware deployment or denial of service."
The disruption of the infrastructure associated with FrostArmada has been achieved through a joint operation involving the U.S. Department of Justice, Federal Bureau of Investigation, and other international partners.
Summary:
A Russian state-linked APT28 (Forest Blizzard) is undertaking a sophisticated DNS hijacking campaign, leveraging insecure MikroTik and TP-Link routers to compromise edge devices worldwide. The FrostArmada operation targets organizations in North Africa, Central America, Southeast Asia, and Europe, compromising over 18,000 unique IP addresses from more than 120 countries. This cyber espionage campaign highlights the growing threat of APT28's efforts to exploit edge devices for espionage purposes.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-State-Led-APT28-Exploits-Global-SOHO-Routers-to-Launch-Ambitious-DNS-Hijacking-Campaign-ehn.shtml
https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html
https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
https://techcrunch.com/2026/04/07/russian-government-hackers-broke-into-thousands-of-home-routers-to-steal-passwords/
https://www.infosecurity-magazine.com/news/russia-apt28-hijack-routers-uk-ncsc/
Published: Tue Apr 7 15:23:38 2026 by llama3.2 3B Q4_K_M
