AI Autopsy: APT28’s SOHO Router Campaign Exposes the Hybrid-Work Blind Spot

Most CISOs know that securing the traditional network perimeter is no longer enough. They also understand the importance of protecting endpoints, wherever they might be. But what happens when threats exist outside both of these realms? Always looking for security blind spots to exploit, Russian state-sponsored hackers were recently blamed for a major cyber-espionage operation using hijacked consumer routers.

The so-called ‘FrostArmada’ campaign highlights exactly why cybersecurity visibility and control must extend to the hybrid workforce.

It’s APT28 again

The attackers, identified by the National Cyber Security Centre as APT28 (aka Fancy Bear, Sednit, Sofacy, STRONTIUM), compromised TP-Link WR841N devices. To do so, they exploited CVE-2023-50224, an unauthenticated flaw in the router’s httpd service that exposes stored credentials via a crafted HTTP GET request. It had been patched for some newer routers but not for many older units, which TP-Link suggests replacing. Another technique likely used is SNMPv2.

“Over 10 years ago, we were talking about these same vulnerabilities that are now getting exploited” Stephen Bono

Once inside, operators changed DHCP and DNS settings so connected Windows machines inherited attacker-controlled resolvers, then stood up dnsmasq on port 53 as the malicious resolver, according to Microsoft. When a filtered subset of targeted hosts requested Outlook on the web, the resolver directed them to a proxy that fronted the real Microsoft 365. The proxy presented an invalid TLS certificate, and if the user clicked past the warning, it relayed the authentication flow and captured the OAuth token and session cookie.

Lumen’s Black Lotus Labs, which worked with Microsoft to address the problem, reported a peak in December 2025 of 18,000 infected devices across 120 countries. The FBI’s court-authorised response, Operation Masquerade, wiped the GRU’s resolver configuration from US-based routers in more than 23 states. It’s unclear how successful this opportunistic espionage exercise actually was.

SOHO routers are awash with flaws

Stephen Bono, founder of cybersecurity consultancy Independent Security Evaluators (ISE), has been demonstrating these exact weaknesses for years. He’s getting tired of it.

“Over 10 years ago, we were talking about these same vulnerabilities that are now getting exploited by government-sponsored advanced persistent threats,” he tells Assured Intelligence.

Bono blames the economics of the category. Home routers are commodity hardware built to a price, with cheap components, weak interfaces, and firmware that often treats security as an afterthought. The update chain is the worst of it.

“The lack of a strong update mechanism for home routers is one of the worst design flaws they have,” he says. Some devices cannot update themselves at all, and those that can often lack a PKI robust enough to trust the update. Most consumer routers don’t have their own SSL or TLS certificates, meaning that a user logging into the admin interface has no cryptographic proof that they are talking to the real device.

The hybrid-work blind spot

The uncomfortable truth for CISOs is that while it might sit behind an employee’s home TV, a compromised SOHO router also sits squarely within the security perimeter of a hybrid workforce. That’s problematic because endpoint protection and network hardening don’t see DHCP-level DNS rewrites on the box.

“Organisations don’t have the knowledge, resources, budget, people, or the underlying technologies” Rich Mogull

One reason FrostArmada worked so well against mature detection stacks is that this box dropped a binary on the endpoint. The compromise lived on the router, and the credential theft lived in the browser. None of this should come as any surprise to CISOs, says Rich Mogull, chief analyst at the Cloud Security Alliance (CSA).

“If you’re a CISO, you know this, or you shouldn’t have that title,” he tells Assured Intelligence. BYOD is all very well, he adds, “but there are layers of security controls that need to be put into place to deal with that.”

The gap is capacity rather than awareness. “A lot of people are thinking about it, but very few of them are in a position to do anything about it,” Mogull continues. “They don’t have the knowledge, resources, budget, people, or the underlying technologies.”

Mogull argues that the CISO’s job isn’t to make the ultimate risk decision, but to communicate it and let the business make the call. But when the business chooses BYOD and work-from-anywhere, the CISO inherits the threat model.

What CISOs should do now

The NCSC’s mitigation list is a sensible starting point for next steps: replace end-of-life routers, patch firmware, and use application allow lists. It’s all good advice, but enterprises whose employees own the router will find much of it hard to enforce. The real work happens on the corporate side, and it must start with zero trust, say experts.

“In a zero trust model, the networks that endpoints operate in are assumed to be untrusted at best and compromised,” points out Markus Mueller, field CISO at Nozomi Networks.

If you can’t trust the SOHO router, make it irrelevant, adds Adam Goss, founder of UK threat intelligence company Kraven Security.

“By using a SASE provider, the endpoint establishes an encrypted tunnel the moment it boots,” he tells Assured Intelligence. “All DNS queries and traffic are sucked into the SASE provider’s clean pipe before they ever hit the local router’s DNS settings.”

Goss also recommends a “no-malware kill chain” exercise, where security teams filter MITRE’s ATT&CK framework for techniques that complete without disc artefacts. The NCSC identifies some of these, such as T1557 adversary-in-the-middle and T1586 compromise accounts.

“Then ask: if this fired in production right now, which sensor catches it? Most of the time, the answer is EDR. That’s the gap FrostArmada exploited,” he says. Network telemetry should be as mature as EDR telemetry, Goss continues. He advises retaining DNS query logs for 90 days.

“Close the certificate-warning loophole that helps the AiTM step to work.”

Other measures companies should take include enforced corporate DNS resolvers via DNS over HTTPS (DoH) and DNS over TLS (DoT), which encrypt and tunnel DNS lookups. Alerting on clients querying non-approved resolvers would help surface potential network compromise. He also calls for Protective DNS (PDNS) with threat intel integration to embed awareness of malicious destinations at the DNS level. “Most organisations still don’t have all of this,” Goss adds.

Conditional access must evaluate device posture as a first-class signal. Phishing-resistant MFA is also table stakes. That means FIDO2 or passkeys, not SMS or push, given that AiTM proxies complete SMS and push challenges on the user’s behalf.

Shrinking the window

CISOs might also shrink the window in which a stolen token is useful. CSA’s Mogull points out that 90-day token expiry windows aren’t optimal. He is rewriting the CSA’s own policy to expire administrative sessions once a day. A Slack-based approval flow that grants production access for one hour at a time provides additional protection and serves as a form of out-of-band approval. If something is amiss, the user whose token is stolen sees an approval prompt they didn’t submit and knows immediately something is wrong.

Another stop is to close the certificate-warning loophole that helps the AiTM step to work. Lumen advises certificate pinning. Mogull suggests policy enforcement at the mobile device management or managed browser layer to hard-block invalid certificates with no click-through.

The router under the employee’s desk is not going to get better firmware, a TLS certificate, or a vendor who cares. The next APT28 campaign, botnet, or SOHO-flavoured proxy-for-hire will land on the same unmanaged hardware. The question is whether the corporate end of the tunnel is ready for it.