Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’

APT28 compromised over 18,000 TP-Link routers to inject malicious DNS settings, intercepting traffic from all connected devices for intelligence gathering. Small offices and home networks are affected. This gave attackers persistent, transparent access to sensitive data across entire networks without targeting individual hosts.

HIGHAdvisoryApr 10, 2026

Action required

Inventory all TP-Link routers in your environment immediately. Verify DNS settings are legitimate (check router admin panel). Reset DNS to ISP defaults or trusted public resolvers. Monitor network traffic for suspicious DNS queries and out-of-band C2 communication.

Affected products

TP-Link routersFBI Cyber Division

Linked articles

Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’

Source links

https://cyberscoop.com/fbi-operation-masquerade-russian-gru-router-takedown-brett-leatherman/