The Department of Justice and FBI said Tuesday they have successfully disrupted a Russian military intelligence operation that hijacked thousands of small office and home office routers across the United States to conduct espionage against government, military, and critical infrastructure targets.
The court-authorized technical operation targeted infrastructure built by GRU Military Unit 26165, also known as APT28, which had been exploiting vulnerabilities in TP-Link routers since at least 2024. Compromised devices were found in more than 23 states, officials said.
“The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat,” said Assistant Attorney General John A. Eisenberg.
According to federal officials, GRU actors stole login credentials to gain unauthorized access to the routers and redirected DNS requests through Russian-controlled servers. The operation then used automated filtering to identify high-value targets, deploying fraudulent DNS records that impersonated legitimate services, including Microsoft Outlook Web Access, to intercept encrypted network traffic. The technique allowed Russian operatives to harvest passwords, authentication tokens, and emails from victim networks.
FBI agents developed and deployed a series of commands to compromised U.S. routers, resetting DNS settings to remove the malicious servers and blocking the GRU’s original access pathways. Officials said the operation was extensively tested beforehand, did not disrupt normal router functionality, and did not collect users’ personal data. All changes can be reversed by owners through a standard factory reset.
The FBI is coordinating with internet service providers to notify affected users and is urging all router owners to take immediate protective steps: replace outdated end-of-life devices, update firmware to the latest version, verify DNS resolver settings, and apply firewall rules to block unauthorized remote access.
“Operation Masquerade demonstrates the FBI’s commitment to identifying, exposing, and disrupting the Russian government’s efforts to compromise American devices, steal sensitive information, and target critical infrastructure,” said Assistant Director Brett Leatherman of FBI’s Cyber Division.