The United States has successfully disrupted a sophisticated network of compromised small office/home office (SOHO) routers, which was reportedly used by Russian operatives for espionage activities. The operation, revealed on Tuesday by the US Justice Department and the FBI, involved cyberattacks linked to the threat group known as APT28, also referred to as Forest Blizzard and Fancy Bear. This group is believed to operate under the direction of Russia’s military intelligence agency, the GRU.
Methods of the Espionage Operation
The cybercriminals exploited vulnerabilities in TP-Link and MikroTik routers, altering their DHCP and DNS configurations. This manipulation allowed them to reroute internet traffic from affected devices through their controlled infrastructure. By executing an adversary-in-the-middle (AitM) attack, they were able to intercept and collect data such as passwords, authentication tokens, emails, and browsing information from unsuspecting users.
However, the success of these attacks depended on users ignoring TLS certificate warnings, which were triggered by the attackers’ infrastructure. The FBI highlighted that the hackers leveraged a known security flaw, tracked as CVE-2023-50224, to take over TP-Link routers.
Impact and Technical Insights
Microsoft has attributed the cyber activities to Forest Blizzard and a subgroup known as Storm-2754. The company identified over 200 organizations and 5,000 consumer devices that were compromised. According to Microsoft, the attackers modified the default network settings of the routers to use DNS resolvers under their control. This malicious reconfiguration led to a significant number of devices directing their DNS requests to the attackers’ servers.
The dnsmasq utility, a legitimate tool commonly used in smaller networks, was reportedly used by the attackers for DNS resolution. This utility functions as a DNS forwarder and cache, as well as a DHCP server, which facilitates network services. In certain cases, DNS requests were transparently proxied by the attackers’ infrastructure, maintaining connections to legitimate services without interruption. However, targeted domains experienced spoofed DNS responses, forcing them to connect to attacker-controlled servers.
Broader Implications and Responses
Lumen Technologies, through its Black Lotus Labs, has been monitoring this campaign, codenamed FrostArmada, since its inception in August 2025. The campaign ramped up in December 2025, with over 18,000 unique IPs from more than 120 countries interacting with the attackers’ systems. Government agencies, including ministries of foreign affairs and law enforcement, were among the primary targets.
Collaborating with Microsoft and US authorities, Lumen Technologies played a crucial role in dismantling the infrastructure used in these attacks. The UK’s National Cyber Security Centre (NCSC) also issued an advisory, detailing various indicators of compromise and offering defensive strategies. The NCSC’s list included VPS banners, targeted router models, domains, and IP addresses linked to the attackers.
Earlier in 2024, the FBI had already disrupted a similar botnet network used by the same Russian threat group. This highlights the ongoing threat of sophisticated cyber espionage operations and underscores the importance of vigilance and robust cybersecurity measures.
For further details on related cybersecurity disruptions, you may explore cases like the international operations against the Aisuru and Kimwolf DDoS botnets, and the efforts to dismantle the RedVDS cybercrime service by Microsoft and law enforcement agencies.
