Russian Hackers Were Inside Your Router — And You'd Never Know It
An international operation just shut down FrostArmada — a Russian state hacking campaign that silently hijacked thousands of small office routers to steal Microsoft 365 credentials. Here's exactly what happened and what every Ontario business needs to do today.
Yesterday, an international law enforcement operation involving the FBI, the U.S. Department of Justice, and the Polish government announced they had dismantled FrostArmada — a large-scale hacking campaign run by APT28, the Russian state-linked group also known as Fancy Bear. The campaign had been running since at least May 2025. At its peak, it had infected 18,000 devices across 120 countries.
The target wasn't corporate data centres or enterprise servers. It was the unassuming router sitting in small offices and home offices — the device most businesses set up once and never think about again. And the method was so quiet, so invisible, that most victims had absolutely no idea they'd been compromised.
What FrostArmada did — and how
The attack was elegant in its simplicity. APT28 exploited known, unpatched vulnerabilities in two of the most common small office router brands — MikroTik and TP-Link. They didn't install malware. They didn't need to. Instead, they changed one setting: the DNS.
DNS — the Domain Name System — is what translates web addresses into actual server locations. When your team types "outlook.com" into their browser, DNS tells the computer where to go. By quietly changing the DNS settings on compromised routers, the attackers ensured that every request to Microsoft 365 and Outlook was silently redirected through their own servers first.
"These guys didn't use malware. They did this in an old-school way that isn't really sexy — but it gets the job done." — Ryan English, Black Lotus Labs Security Engineer
From the attacker's position in the middle of the connection, they could harvest login credentials and OAuth tokens — the authentication tokens that let your browser stay signed in to Microsoft 365 without typing a password each time. With those tokens in hand, attackers had full, persistent access to victim accounts — bypassing MFA entirely because the user had already completed authentication themselves.
The only visible warning sign? An invalid TLS certificate alert that most users would click straight through without thinking twice.
Why small office routers were the target
This is the part that should concern every small business in Ontario. APT28 didn't go after enterprise hardware with dedicated security teams. They specifically targeted SOHO — Small Office / Home Office — routers. MikroTik and TP-Link devices of the kind found in thousands of small businesses across Canada.
Why? Because small office routers are the least likely to be patched, the least likely to be monitored, and the most likely to be running firmware from the year they were installed. They sit quietly in a corner, doing their job, while vulnerabilities pile up unaddressed for months or years at a time.
MikroTik routers (various models) · TP-Link WR841N · TP-Link Archer C5 and C7 · TP-Link WR1043ND · TP-Link MR3420 and MR6400 · TP-Link WR740N, WR840N, WR842N, WR845N, WR941ND variants · Nethesis firewall products · Older Fortinet models
If your office runs any of these devices and they haven't been updated recently — read the action steps below carefully.
How the attack unfolded step by step
What your business needs to do right now
Log into your router's admin panel and check for firmware updates. If you're running a TP-Link or MikroTik device that hasn't been updated in the past six months, treat it as a priority. If you don't know how to do this — or don't know which router you're running — your IT provider should be doing this for you.
Log into your router admin interface and check which DNS servers are configured. They should be pointing to your ISP's servers, Google (8.8.8.8), Cloudflare (1.1.1.1), or a known enterprise DNS provider. Any unfamiliar IP addresses should be investigated immediately. Your IT provider can verify this for you in minutes.
Most routers have a setting that allows the admin interface to be accessed from the internet. This should be disabled unless your IT team specifically needs it for remote management. Leaving it exposed is one of the key ways attackers gain initial access to routers like the ones targeted in FrostArmada.
Many small office routers still run on factory default usernames and passwords — "admin/admin" being the most common. These are the first credentials attackers try. Change your router's admin password to something strong and unique. This takes two minutes and closes a significant attack vector.
The only visible warning sign in FrostArmada was an invalid TLS certificate alert. Train your team: if a browser shows a certificate error for a site they access every day — especially Microsoft 365 or Outlook — stop immediately and call IT. Do not click "continue anyway."
"Although we have only observed Forest Blizzard utilizing their DNS hijacking campaign for information collection, an attacker could use this position for additional compromise." — Microsoft Security
The bigger picture
FrostArmada has been disrupted — but it won't be the last campaign like it. The reason SOHO routers keep appearing in major cybersecurity incidents is simple: they're everywhere, they're undermanaged, and they connect directly to every device and every service a business uses.
Your router is not a "set it and forget it" device. It's active infrastructure that requires firmware updates, configuration reviews, and ongoing monitoring — just like your computers, your cloud accounts, and your data backups. If nobody on your team is doing that, it's likely not getting done.
At 247Techify we manage the network infrastructure for small and medium businesses across Ontario — including routers, firewalls, DNS configuration, and ongoing monitoring. If you're not sure whether your office network is properly secured, a free IT review is the fastest way to find out.