What Happened
The FBI executed a court-authorized technical operation on or around April 7-8, 2026 to dismantle FrostArmada, a large-scale cyber espionage campaign attributed to APT28, the Russian military intelligence unit operating under GRU unit 26165 — also tracked as Forest Blizzard, Fancy Bear, Sofacy, and Storm-2754.
In the FrostArmada campaign, APT28 operators compromised thousands of small office and home office routers, primarily MikroTik and TP-Link devices running end-of-life firmware or lagging on security updates. The attackers modified DNS settings on these devices to redirect resolution requests for targeted domains to attacker-controlled virtual private servers acting as adversary-in-the-middle (AitM) DNS resolvers. When users on compromised networks authenticated to Microsoft Outlook on the Web or other Microsoft 365 subdomains, their authentication tokens were intercepted and exfiltrated.
At its peak in December 2025, the FrostArmada network included more than 18,000 unique router IP addresses spanning 120 countries. Microsoft confirmed that more than 200 organizations and 5,000 consumer devices were affected by APT28’s malicious DNS infrastructure. The FBI’s court-authorized operation reset DNS configurations on affected routers by delivering cleanup commands that removed APT28’s resolvers and forced devices back to legitimate internet service provider DNS servers. BleepingComputer | Krebs on Security | NCSC | Microsoft Security Blog
Why This Matters for Canadian Organizations
APT28 prioritizes government ministries — including foreign affairs, law enforcement, and intelligence-adjacent agencies — along with third-party email and cloud service providers. These are categories well represented across the Canadian federal government, provincial administrations, and the broader public sector. Canada’s reliance on Microsoft 365 for government collaboration and communication makes this campaign directly relevant to every federal department and Crown corporation using Exchange Online or SharePoint Online.
The FrostArmada technique is particularly effective against organizations where employees work from home or connect from branch offices through consumer-grade routers. These devices receive less security attention than enterprise firewalls, and firmware update cadences are often poor. A compromised home router can intercept Microsoft 365 authentication flows even from a fully patched corporate laptop, meaning endpoint defenses provide no protection against DNS-layer credential theft.
The NCSC, FBI, NSA, and Five Eyes partners jointly published technical indicators and mitigation guidance in connection with this disclosure. Canadian organizations should treat this as a direct advisory from their intelligence community. The Canadian Centre for Cyber Security (CCCS) has historically issued guidance aligned with NCSC and FBI joint advisories within 24-48 hours of publication.
What to Do
Audit your DNS resolver settings, particularly for remote workers using home or small office routers. Devices running MikroTik RouterOS or TP-Link firmware should be verified as running current firmware and should use only your organization’s or ISP’s legitimate DNS resolvers. Flag any resolvers pointing to unexpected or unrecognized IP addresses for immediate investigation.
Enable phishing-resistant MFA on all Microsoft 365 accounts — specifically FIDO2 security keys or certificate-based authentication. Standard authenticator app MFA does not protect against AitM token theft, which is precisely the attack class FrostArmada was designed to execute.
Deploy Microsoft Entra ID conditional access policies that restrict authentication to known, compliant devices. Token theft attacks lose effectiveness when token binding and device compliance checks are enforced. Review sign-in logs for authentication events originating from unexpected geographic locations or IP ranges, particularly within the period December 2025 through April 2026.
Organizations that suspect compromise should report to the Canadian Centre for Cyber Security at contact@cyber.gc.ca and to the RCMP’s National Division Cybercrime Investigations Unit.
