FBI Disrupts GRU Router Hijacking Operation Amid Rising Threats
High severity — significant development or major threat actor activity
The FBI found that a Russian group was secretly watching people through their home routers. They changed settings to steal passwords and other private information. Now, the FBI has fixed many of these routers to protect users.
The FBI has disrupted a significant cyber espionage operation by the Russian GRU, targeting thousands of compromised TP-Link routers across the U.S. and stealing sensitive user data.
What Happened
This week, the FBI executed Operation Masquerade, a court-authorized initiative aimed at dismantling a DNS hijacking network operated by Russia’s GRU Unit 26165 (APT28). The operation revealed that APT28 had compromised thousands of TP-Link small office and home routers across more than 23 U.S. states. Since at least 2024, these actors exploited known vulnerabilities in the routers to alter DNS settings, redirecting user traffic through GRU-controlled servers. This allowed them to intercept sensitive information such as passwords, authentication tokens, and emails, primarily targeting individuals in government, military, and critical infrastructure sectors.
Who's Affected
The FBI's investigation suggests that over 5,000 consumer devices and more than 200 organizations have been impacted by APT28's malicious DNS infrastructure. Specific models of TP-Link routers, particularly the WR841N, have been highlighted as vulnerable, allowing attackers to gain unauthorized access through specially crafted HTTP GET requests.
What's at Risk
The compromised routers not only facilitated credential theft but also enabled the interception of secure communications, including those involving Microsoft 365 and other cloud services. The GRU's ability to manipulate DNS settings poses a significant risk, as it can lead to unauthorized access to sensitive data typically protected by SSL and TLS encryption.
Patch Status
Under court supervision, the FBI deployed a series of commands to reset the DNS configurations of the compromised routers, restoring legitimate settings provided by ISPs. The agency is collaborating with U.S. internet service providers to notify affected customers and ensure that users can revert any unauthorized changes.
Immediate Actions
To protect against similar attacks, users are advised to:
- Check their router's DHCP settings against their ISP's recommendations.
- Change default usernames and passwords to more secure options.
- Regularly update router firmware and disable remote management features.
- Consider using open-source firmware alternatives for enhanced security, if technically proficient.
- Report any suspicious activity or potential compromises to local FBI field offices.
This operation underscores the importance of securing home and small office routers, as they are increasingly becoming targets for espionage and cyber attacks.
🔍 How to Check If You're Affected
- 1.Monitor DNS settings for unauthorized changes.
- 2.Check for unusual traffic patterns originating from home routers.
- 3.Conduct regular security audits on network devices.
The operation highlights the critical need for robust security measures on consumer devices, especially as sophisticated threat actors like APT28 continue to exploit vulnerabilities in widely used technology.
🗓️ Story Timeline
Sources
Also covered by
Russian hacking group targets home and small office routers to spy on users