By Xavier Rivera· ·1.5 min read
Cops Dismantle Router Hijacks Stealing M365 Logins
International authorities disrupt FrostArmada, an APT28 operation hijacking MikroTik and TP-Link routers to steal Microsoft 365 credentials. The takedown protects enterprises from credential theft that could lead to widespread cloud breaches.
Source:BleepingComputer
Russia's notorious APT28 hacking group loses a key weapon: law enforcement agencies, alongside Microsoft and router makers, just crippled FrostArmada, a campaign hijacking MikroTik and TP-Link routers to siphon Microsoft 365 credentials from victims worldwide.
The operation, dubbed Operation Endgame, targeted DNS hijacking techniques where malware like Winos 4.0 redirected local traffic through attacker-controlled servers. Infected routers forwarded login attempts to phishing sites mimicking Microsoft domains, capturing usernames, passwords, and session tokens for 365 services like Outlook and Teams. BleepingComputer reports the takedown neutralized over 1,300 malicious domains and seized infrastructure across multiple countries.
APT28, also known as Fancy Bear, has long favored router compromises for their persistence and stealth. This campaign exploited unpatched vulnerabilities in MikroTik's RouterOS and TP-Link's firmware, affecting small businesses and enterprises reliant on these budget routers for edge networking. Microsoft shared threat intelligence, while MikroTik and TP-Link aided in sinkholing C2 servers.
The disruption underscores escalating state-sponsored threats to cloud credentials. M365 holds sensitive corporate data for millions; stolen logins enable account takeovers, data exfiltration, and lateral movement into Azure environments. It also highlights router security's blind spot—many admins overlook firmware updates amid daily ops.
Competitors like Cisco and Ubiquiti face similar scrutiny, but MikroTik's popularity in emerging markets amplifies the risk. With FrostArmada down, remnants may pivot to VPNFilter-style malware or zero-days.
Expect firmware patches imminently and broader calls for router SBOMs. Organizations now audit peripherals, as nation-states evolve faster than patches.
The operation, dubbed Operation Endgame, targeted DNS hijacking techniques where malware like Winos 4.0 redirected local traffic through attacker-controlled servers. Infected routers forwarded login attempts to phishing sites mimicking Microsoft domains, capturing usernames, passwords, and session tokens for 365 services like Outlook and Teams. BleepingComputer reports the takedown neutralized over 1,300 malicious domains and seized infrastructure across multiple countries.
APT28, also known as Fancy Bear, has long favored router compromises for their persistence and stealth. This campaign exploited unpatched vulnerabilities in MikroTik's RouterOS and TP-Link's firmware, affecting small businesses and enterprises reliant on these budget routers for edge networking. Microsoft shared threat intelligence, while MikroTik and TP-Link aided in sinkholing C2 servers.
The disruption underscores escalating state-sponsored threats to cloud credentials. M365 holds sensitive corporate data for millions; stolen logins enable account takeovers, data exfiltration, and lateral movement into Azure environments. It also highlights router security's blind spot—many admins overlook firmware updates amid daily ops.
Competitors like Cisco and Ubiquiti face similar scrutiny, but MikroTik's popularity in emerging markets amplifies the risk. With FrostArmada down, remnants may pivot to VPNFilter-style malware or zero-days.
Expect firmware patches imminently and broader calls for router SBOMs. Organizations now audit peripherals, as nation-states evolve faster than patches.
EXPERT TAKE
Expert Take: M365 admins, inventory MikroTik/TP-Link routers now, patch to latest firmware, and deploy Conditional Access policies blocking legacy auth to block DNS hijack fallout.
SecurityMicrosoft 365APT28Routers