APT28 Hijacks MikroTik & TP-Link Routers to Steal Microsoft 365 Logins via DNS Redirection
What Happened – An international law‑enforcement operation disrupted “FrostArmada,” an APT28 campaign that compromised thousands of SOHO routers (primarily MikroTik and TP‑Link) and altered their DNS settings to route authentication traffic to attacker‑controlled VPS resolvers. The malicious DNS redirection captured Microsoft 365 credentials and OAuth tokens.
Why It Matters for TPRM –
- Credential theft from a trusted identity provider can cascade to every downstream SaaS service.
- Router‑level DNS hijacks bypass traditional endpoint security, exposing any organization that relies on compromised network hardware.
- The campaign’s global reach (≈18 k devices in 120 countries) shows the supply‑chain risk of unmanaged or legacy networking gear.
Who Is Affected – Government agencies, law‑enforcement bodies, IT/hosting providers, and any organization operating its own servers that rely on MikroTik, TP‑Link, Nethesis, or older Fortinet routers.
Recommended Actions –
- Inventory all on‑premise routers and verify firmware is up‑to‑date.
- Audit DNS and DHCP configurations for unauthorized changes.
- Enforce MFA on Microsoft 365 accounts and monitor for anomalous OAuth token usage.
- Segment network traffic to limit exposure of compromised devices.
Technical Notes – Attack vector leveraged router misconfiguration (unauthorized DNS changes) pushed via DHCP, creating an adversary‑in‑the‑middle proxy that intercepted authentication requests. Victims only saw TLS‑certificate warnings, which were often ignored. No specific CVE was cited; the vulnerability stemmed from weak default credentials and unpatched router firmware. Source: BleepingComputer