Authored by Kimberly Hayek via The Epoch Times (emphasis ours),
The Justice Department and FBI on Tuesday revealed they have conducted a court-approved technical operation to neutralize part of a network of small office and home office routers in the United States that become commandeered by a unit of Russia’s military intelligence.
Russian Military Unit 26165—also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit—is part of Russia’s Main Intelligence Directorate of the General Staff and has compromised routers to execute malicious Domain Name System (DNS) hijacking operations across the planet.
They targeted individual U.S. military members, the U.S. government, and critical infrastructure in which the Russian government expected to gain intelligence.
U.S. Attorney David Metcalf for the Eastern District of Pennsylvania said critical data had been commandeered.
“In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively,” Metcalf said. “Working with the FBI—and our partners around the world—we are committed to disrupting and exposing such threats to our nation’s cybersecurity.”
Assistant Director Brett Leatherman of FBI’s Cyber Division said U.S. and global routers had been compromised and that the FBI will continue to use its authorities to identify and impose costs on state-sponsored actors who target the American people.
“Given the scale of this threat, sounding the alarm wasn’t enough,” Leathernan said. “The FBI conducted a court-authorized operation to harden compromised routers across the United States.”
The FBI operation, called Operation Masquerade, is the most recent U.S. action to undermine continuous Russian state-sponsored cyber threats that exploit everyday consumer devices.
Since 2024, GRU actors have attacked known vulnerabilities in TP-Link routers worldwide to steal administrative credentials. They then obtained unauthorized access to devices and changed their settings to redirect DNS queries to GRU-controlled malicious resolvers.
The actors set up automated filters to identify high-value traffic before intercepting it. The malicious resolvers returned fraudulent DNS records that appeared to be legitimate services, including Microsoft Outlook Web Access.
This allowed man-in-the-middle attacks on what victims thought was encrypted network traffic. The GRU was able to harvest unencrypted passwords, authentication tokens, emails, and other sensitive data from devices on the compromised router’s local network.
The operation included technical contributions from Black Lotus Labs at Lumen, Microsoft Threat Intelligence, and MIT Lincoln Laboratory.
“Operation Masquerade was led by FBI Boston. It represents the latest example of how we’re defending our homeland from Russia’s GRU which weaponized routers owned by unsuspecting Americans in more than 23 states to steal sensitive government, military, and critical infrastructure information,” special agent in charge of the FBI’s Boston Field Office Ted E. Docks said.
He noted that the FBI employed cutting edge technology and leveraged private sector and international partners to combat the malicious activity and remediate routers.
Court documents from the case, filed in the Eastern District of Pennsylvania, outline how the FBI developed and tested commands sent only to affected routers in the United States.
The commands revealed evidence of GRU schemes, reset the devices’ DNS settings to legitimate resolvers of internet service providers, and shut down the original unauthorized access points. TP-Link router firmware and hardware settings confirmed the operation would not interrupt normal router function or collect users’ personal data.
Legitimate owners can change the settings through a factory reset with the hardware button or by manually restoring settings through the router’s web interface.
The FBI has also been working with internet service providers to inform affected users.
Owners of small office and home office routers are advised to replace end-of-life or end-of-support devices, upgrade to the newest firmware, verify that DNS resolvers are the same as those provided by the internet service provider, and review firewall rules to prevent unnecessary remote management access.
The GRU’s Unit 26165 was the subject of May 2025 joint advisory from the Cybersecurity and Infrastructure Security Agency, as well as international partners, describing how the unit attacked Western logistics and technology companies delivering aid to Ukraine. The campaign, dating back to 2022, impacted organizations in 13 nations, including the United States, Germany, and France.
In April 2025, French officials said a series of hacks since 2021 were the work of the same GRU unit.
“The Russian military intelligence service (GRU) has been deploying a cyber-offensive modus operandi called APT28 against France for several years. It has targeted around 10 French entities since 2021,” Jean-Noël Barrot, the French foreign minister, wrote on social media platform X.
In a February 2024 disruption, the Justice Department took apart a GRU-controlled botnet that had attacked hundreds of small or home office routers around the world with malware. The FBI used the same malware to copy and delete stolen data while changing firewall rules to ban remote management access.
