FBI Disrupts Russian Router Hijacking Operation Compromised Thousands of Users
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The U.S. Justice Department and the FBI have successfully dismantled a massive cyberespionage network in a court-authorized takedown dubbed \u201cOperation Masquerade.\u201d<\/p>\n
Announced on April 7, 2026, the technical operation neutralized thousands of compromised small office\/home office (SOHO) routers<\/a> that were hijacked by Russian military intelligence to spy on global targets.<\/p>\n The disruption targeted a hacking unit within Russia\u2019s Main Intelligence Directorate (GRU), widely tracked by cybersecurity researchers as APT28, Fancy Bear, Forest Blizzard, and Sednit.<\/p>\n Since at least 2024, these state-sponsored hackers have actively exploited known security vulnerabilities to steal credentials for thousands of TP-Link routers worldwide.<\/a><\/p>\n Once the GRU actors gained unauthorized access to a router, they manipulated its Domain Name System (DNS) settings<\/a>. This effectively redirected the victim\u2019s internet traffic to malicious, attacker-controlled DNS resolvers.<\/p>\n While the initial router compromises were indiscriminate, the hackers used an automated filtering system to identify high-value targets in the military, government, and critical infrastructure sectors.<\/p>\n For these selected targets, the malicious DNS resolvers served fraudulent records that mimicked legitimate online services, such as Microsoft Outlook Web Access.<\/a><\/p>\n This allowed the GRU to execute Actor-in-the-Middle (AitM) attacks<\/a> against encrypted network traffic.<\/p>\n By routing traffic through their servers, the attackers successfully harvested unencrypted passwords, authentication tokens,<\/a> emails, and other sensitive data from devices connected to the compromised networks.<\/p>\n To stop the espionage campaign, the FBI developed and deployed a series of remote commands to the compromised routers across 23 states.<\/p>\n These commands gathered vital evidence, purged the malicious GRU DNS resolvers, and restored legitimate ISP default settings.<\/p>\n The commands also locked out the attackers by patching the original means of unauthorized access<\/a>.<\/p>\n The government extensively tested these actions alongside MIT Lincoln Laboratory to ensure they did not break normal router functionality or access private user data.<\/p>\n The disruption effort was a collaborative success involving the FBI\u2019s Boston and Philadelphia Field Offices, with critical threat intelligence provided by Microsoft and Black Lotus Labs at Lumen.<\/p>\n While the FBI has secured the compromised devices, the agency urges all SOHO router owners to take proactive steps to defend their networks:<\/p>\n The FBI is currently working directly with Internet Service Providers<\/a> to notify impacted users.<\/p>\n If you believe your router was compromised, you are encouraged to check the official TP-Link download center for proper configuration guidelines and file a report with the FBI\u2019s Internet Crime Complaint Center (IC3).<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post FBI Disrupts Russian Router Hijacking Operation Compromised Thousands of Users<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nRussian Router Hijacking Operation<\/strong><\/h2>\n
Recommended Remediation Steps<\/strong><\/h2>\n
\n