An international law enforcement operation has successfully dismantled a massive cyber-espionage network that turned thousands of home and compact office routers into tools for Russian intelligence. The campaign, codenamed “FrostArmada,” targeted vulnerable internet-exposed devices to hijack network traffic and steal sensitive authentication credentials from high-value targets worldwide.
The operation, known as Operation Masquerade, involved a coordinated effort between the U.S. Department of Justice, the FBI, the Polish government, and private cybersecurity firms. By neutralizing the offending infrastructure, authorities have cut off a primary conduit used by the Russian state to harvest Microsoft 365 logins and OAuth tokens from government agencies, military personnel, and critical infrastructure sectors via BleepingComputer.
At the heart of these Russian military router hacks is a sophisticated threat group known as APT28. Also tracked as Fancy Bear, Forest Blizzard, and Strontium, APT28 is almost certainly the 85th Main Special Service Centre of the Russian Main Intelligence Directorate (GRU), specifically Military Intelligence Unit 26165 via Tom’s Hardware.
The Mechanics of FrostArmada: How DNS Hijacking Works
The FrostArmada campaign did not target individual laptops or smartphones directly. Instead, it focused on the “front door” of the network: small office and home office (SOHO) routers. The attackers primarily exploited vulnerabilities in MikroTik and TP-Link routers, though some older Fortinet models and Nethesis firewall products were also compromised via BleepingComputer.
Once the hackers gained access to a router, they overwrote its DHCP and DNS settings. In a standard setup, a DNS (Domain Name System) resolver acts like a phonebook for the internet, translating a website name like “outlook.office365.com” into an IP address. APT28 changed these settings to point toward virtual private servers (VPS) under their own control, which acted as malicious DNS resolvers via Tom’s Hardware.
This created an “adversary-in-the-middle” (AitM) scenario. When a user on the compromised network attempted to log into a targeted service, the malicious DNS resolver redirected them to a fake login page hosted on attacker-owned infrastructure. Because the redirection happened at the router level, the attack was nearly invisible to the end user, requiring no interaction or “phishing” click to initiate the theft of credentials via The Hacker News.
Who Was Targeted and Why?
The primary goal of the GRU was not the consumer router owners themselves, but rather the individuals and organizations operating behind them. The DNS hijacking allowed Russian intelligence to target “individuals of interest to the Kremlin,” including those working in military, government, and critical infrastructure sectors via The Hacker News.
By stealing Microsoft 365 logins and OAuth tokens, APT28 could gain persistent access to corporate and government email accounts without needing to bypass multi-factor authentication (MFA) in every session. This enabled long-term passive collection of network data and intelligence gathering on foreign ministries and law enforcement agencies via BleepingComputer.
Global Scale and the Takedown
The scale of the operation was significant. At its peak in December 2025, the FrostArmada campaign had infected 18,000 devices across 120 different countries via BleepingComputer. The campaign had been active since at least May 2025, according to research from Lumen’s Black Lotus Labs via The Hacker News.
The disruption of the network was the result of a multi-sector partnership. Microsoft worked alongside Black Lotus Labs to map the malicious activity and identify the victims. This technical intelligence was then handed over to the FBI and the U.S. Department of Justice, who, with support from the Polish government, executed a court-authorized technical operation to neutralize the infrastructure via BleepingComputer.
| Detail | Information |
|---|---|
| Threat Actor | APT28 (GRU Unit 26165) |
| Primary Hardware Targeted | TP-Link and MikroTik SOHO routers |
| Peak Infection Count | 18,000 devices in 120 countries (Dec 2025) |
| Primary Objective | Theft of Microsoft 365 credentials and OAuth tokens |
| Takedown Operation | Operation Masquerade |
What This Means for Home and Small Business Users
While the infrastructure for FrostArmada has been neutralized, the campaign highlights a critical vulnerability in how many of us secure our home networks. SOHO routers are often the weakest link in a security chain because they are frequently left with default passwords or outdated firmware, making them easy targets for state-sponsored actors.
For those using MikroTik, TP-Link, or other consumer-grade networking gear, this event serves as a reminder that “set it and forget it” is a dangerous strategy. When a router is compromised, every device connected to it—from your function laptop to your smartphone—is potentially exposed to traffic redirection and credential harvesting.
How to Protect Your Network
- Update Firmware Regularly: Ensure your router is running the latest software from the manufacturer to patch known vulnerabilities.
- Change Default Credentials: Never use the default admin username and password that came with the device.
- Disable Remote Management: Turn off the ability to manage your router from the internet (WAN side) to reduce the attack surface.
- Monitor DNS Settings: Periodically check your router’s DHCP and DNS settings to ensure they are pointing to trusted providers (like your ISP, Google, or Cloudflare) and not unknown IP addresses.
The disruption of the FrostArmada network is a major victory for international cybersecurity, but the tactics used by APT28—targeting the infrastructure rather than the endpoint—are likely to persist. As the GRU continues to evolve its methods, the responsibility for basic network hygiene falls increasingly on the end user.
Authorities have not announced a date for further public briefings, but the U.S. Department of Justice is expected to continue its investigations into the associated Russian intelligence actors. We will provide updates as novel court filings or official advisories are released.
Do you regularly update your router’s firmware, or is it a task that often slips through the cracks? Let us know in the comments below and share this article to help others secure their home networks.