The Department of Justice announced on Apr. 7 a court-authorized operation to neutralize the U.S. segment of a network of small office and home office routers that had been compromised by Russia’s Main Intelligence Directorate, also known as GRU Military Unit 26165 or APT28. The compromised routers were used to conduct malicious Domain Name System (DNS) hijacking operations against individuals in military, government, and critical infrastructure sectors worldwide.
This operation addresses concerns about foreign cyber actors exploiting vulnerabilities in American networks for espionage purposes. Officials said the affected TP-Link routers were manipulated to redirect DNS requests to servers controlled by the GRU, enabling them to intercept sensitive information such as passwords and emails from devices connected through these routers.
“Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” said U.S. Attorney David Metcalf. “In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively. Working with the FBI — and our partners around the world — we are committed to disrupting and exposing such threats to our nation’s cybersecurity.”
Assistant Attorney General for National Security John A. Eisenberg said, “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.” He added that his division would continue using all available tools against such intrusions.
Special Agent in Charge Ted E. Docks of the FBI Boston Field Office described “Operation Masquerade” as an effort that leveraged technology along with private sector and international partnerships: “Now we’re asking everyone who has a router to secure it, update its firmware, and replace it if needed.” Assistant Director Brett Leatherman from FBI’s Cyber Division emphasized user action: “We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us.”
According to unsealed court documents from Pennsylvania’s Eastern District, FBI agents sent commands designed both to collect evidence about GRU activity on compromised routers and reset their DNS settings so they could no longer be exploited by unauthorized actors.
Testing showed that these actions did not impact normal functionality or collect legitimate users’ content information; any changes can be reversed by users via factory resets or web management pages.
Authorities recommend replacing unsupported devices, upgrading firmware promptly, verifying DNS resolver authenticity within router settings, reviewing firewall rules for exposure risks, consulting official documentation from manufacturers like TP-Link regarding configurations or end-of-life lists for replacement guidance, and following additional recommendations provided in public service announcements.
The FBI is working with internet service providers (ISPs) on notifying potentially affected users nationwide.
