Operation Masquerade: FBI Disrupts Russian Router Hacking Campaign

Summary

The FBI and DoJ disrupted Operation Masquerade, a Russian GRU (APT28/Fancy Bear) cyberespionage campaign that hijacked thousands of home and small-office routers—primarily TP-Link devices—across 23+ US states and other countries since at least 2024. The attackers exploited known vulnerabilities to redirect DNS traffic to fake servers, enabling phishing attacks targeting military and government personnel with counterfeit login pages to steal credentials and authentication tokens. The FBI obtained a court order to remotely reset DNS settings on infected routers and block attacker access, with assistance from Microsoft Threat Intelligence, MIT Lincoln Laboratory, and Black Lotus Labs.

Full text

Cyber Crime SecurityOperation Masquerade: FBI Disrupts Russian Router Hacking Campaign Operation Masquerade: The FBI and DoJ disrupted a Russian GRU campaign that hijacked routers via DNS attacks to spy on users and steal credentials. byDeeba AhmedApril 8, 20262 minute read The US Department of Justice (DoJ) and the FBI have officially disrupted a major cyberespionage campaign run by Russian military intelligence. As per the DoJ’s press release, the mission, dubbed Operation Masquerade, targeted a network of home and small-office routers that hackers had been using to spy on unsuspecting users. The group behind the attack is a well-known unit of the Russian GRU, often called APT28, Fancy Bear, or Forest Blizzard. For your information, this group has been quietly compromising devices since at least 2024, focusing heavily on TP-Link routers. By exploiting known vulnerabilities, they managed to hijack thousands of devices across over 23 states and many other countries. How your router was turned into a tool for spying As Hackread.com reported earlier, the technical trick Fancy Bear used in this campaign is called DNS hijacking, using which the GRU hackers broke into routers and swapped DNS with their own fake versions. Once they had control, they used an automated filter to find high-value targets in the military and government. For these specific people, the hackers would serve up fake login pages, like a counterfeit Microsoft Outlook Web Access screen, to steal unencrypted passwords, emails, and authentication tokens without the user ever realising something was wrong. Assistant Attorney General John A. Eisenberg noted that the “GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.” The FBI’s technical cleanup Rather than just issuing a warning, the FBI took the rare step of getting a court order to interact with the infected routers directly. The bureau sent a series of commands to these devices to reset their DNS settings and block the hackers’ access. Researchers from Microsoft Threat Intelligence, MIT Lincoln Laboratory, and Black Lotus Labs helped test these fixes to make sure they did not break anyone’s internet connection. While the FBI has cleared the immediate threat, they are still urging the public to be careful. As Special Agent Ted E. Docks notes, the FBI “leveraged our private sector and international partners to unmask this malicious activity and remediate routers.” If you use a TP-Link device, you should check for the latest firmware updates immediately. If your router is an older model that no longer gets updates, it might be time to replace it. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts APT28CybersecurityFancy BearFBIForest BlizzardhackingOperation MasqueradeRouterRussiaSpying Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Crime Vietnamese Group Hacks and Sells Bedroom Camera Footage Cheap Security, Costly Privacy: Vietnamese Group Profits from Hacked Home Cameras by Selling Bedroom Camera Footage- Change Your Passwords Now! byWaqas Drones Hacking News News Security US Border Patrol Drones Hacked by Drug Cartels The drug cartels are hacking US Border Patrol drones in order to cross the US-Mexican border illegally. It has been… byWaqas Security Hacking News Malware Turkish Hackers Offering Hacking Tools as Prizes for DDosing Political Websites Hackers are leaving no stone unturned in creating troubles through their social engineering antics. This time, however, they… byWaqas Privacy Security MasterCard Plans to Use Selfies to Authenticate Online Transactions Protecting customers from fake online transactions has always been a challenging task for the company’s security division, which… byFarzan Hussain

Entities