Router hijack steals tokens

A Russian military hacking unit used hijacked home and small-office routers to steal passwords, email, and authentication tokens by silently rerouting internet traffic. (justice.gov) The campaign, which Lumen’s Black Lotus Labs named FrostArmada, compromised more than 18,000 routers across more than 120 countries and fed selected logins into attacker-controlled systems, according to Lumen and law enforcement disclosures published April 7. (lumen.com) (justice.gov) Microsoft said the operator was Forest Blizzard, also known as Advanced Persistent Threat 28 and Fancy Bear, a group linked to Russia’s military intelligence service. Microsoft said it identified more than 200 organizations and 5,000 consumer devices affected by the group’s malicious Domain Name System infrastructure. (microsoft.com) The basic trick was simple: change the router’s Domain Name System settings, which act like the internet’s address book, and you can send a victim to the wrong server without changing the web address they typed. The United Kingdom’s National Cyber Security Centre said those fake lookups let the attackers run adversary-in-the-middle attacks that captured passwords, OAuth tokens, and other webmail credentials. (ncsc.gov.uk) That made the router itself the foothold. Microsoft said compromising internet equipment “upstream” of a target let the group watch traffic from less-monitored home and branch-office networks and then pivot toward larger organizations. (microsoft.com) The operation did not start with a mass phishing blast. Lumen said the earliest activity began in May 2025 with limited targeting, then expanded sharply after August 6, 2025, when researchers saw widespread router exploitation and Domain Name System redirection. (lumen.com) The routers were not all used the same way. The Justice Department said the attackers first manipulated many devices indiscriminately, then used automated filtering to decide which Domain Name System requests were worth intercepting for intelligence value. (justice.gov) For selected victims, the spoofed records pointed to lookalike services including Microsoft Outlook Web Access. The Justice Department said that let the group harvest unencrypted passwords, authentication tokens, emails, and other data from devices sharing the compromised network. (justice.gov) Lumen said the group notably targeted MikroTik and TP-Link routers, while the Justice Department said Russian operators had stolen credentials for thousands of TP-Link routers worldwide since at least 2024. The National Cyber Security Centre said the attackers likely relied on public vulnerabilities to compromise routers and overwrite Domain Name System and Dynamic Host Configuration Protocol settings. (lumen.com) (justice.gov) (ncsc.gov.uk) On April 7, the Federal Bureau of Investigation and the Justice Department said they had carried out a court-authorized operation to neutralize the United States portion of the router network. The disclosures turned a quiet home-network compromise into a public warning that a changed router setting can be enough to expose a company login. (justice.gov)