Russian GRU - Exploiting Vulnerable Routers to Steal Data, Operation Masquerade Disrupts Network
High severity β significant development or major threat actor activity
The Russian military has been using weak home routers to steal sensitive information. Recently, U.S. authorities stopped a big part of this operation, which involved changing how these routers work to protect users better. It's important for everyone to keep their routers updated and secure.
The Russian GRU is exploiting vulnerable routers worldwide, prompting a joint advisory from cybersecurity agencies. Operation Masquerade has disrupted a significant DNS hijacking network operated by the GRU, affecting thousands of routers across the U.S.
What Happened
The Canadian Centre for Cyber Security (Cyber Centre) has joined forces with the United Statesβ Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and other international partners to issue a cybersecurity advisory regarding the Russian General Staff Main Intelligence Directorate (GRU). This advisory highlights how the GRU has been exploiting vulnerable routers globally to intercept and steal sensitive military, government, and critical infrastructure information.
In a recent operation known as Operation Masquerade, U.S. authorities disrupted a DNS hijacking network run by the GRU's Unit 26165 (APT28). This operation revealed that the GRU had compromised thousands of TP-Link small office and home office routers across more than 23 U.S. states. Since at least 2024, APT28 has been exploiting known vulnerabilities in these devices to gain unauthorized access to router management interfaces and manipulate DNS settings, redirecting users to GRU-controlled servers.
Who's Affected
The compromised routers have been used to target sensitive data from government, military, and critical infrastructure sectors. The GRU's operations have specifically aimed at intercepting credentials and sensitive communications from users connected to these routers.
What Data Was Exposed
The GRU's DNS hijacking tactics allowed them to collect a range of sensitive information, including passwords, authentication tokens, emails, and other critical data from devices on the same networks as the compromised routers. By redirecting DNS queries, the GRU could insert their infrastructure into encrypted sessions, further enhancing their data collection capabilities.
What You Should Do
To mitigate the risks associated with these vulnerabilities, users of SOHO routers are strongly encouraged to take the following actions:
- Upgrade any end-of-support devices.
- Update firmware to the latest versions to patch known vulnerabilities.
- Change default usernames and passwords to strengthen security.
- Disable remote management interfaces from the Internet to reduce exposure.
Additionally, the FBI has developed and deployed commands to reset the DNS configurations of the compromised routers, restoring legitimate resolver settings and blocking the original unauthorized access paths. The bureau is collaborating with U.S. internet service providers to notify affected customers, ensuring they are aware of the risks and necessary actions to secure their devices.
Consult the full joint advisory for further guidance on protecting your network against these threats.
π How to Check If You're Affected
- 1.Monitor DNS traffic for anomalies
- 2.Check router configurations for unauthorized changes
- 3.Implement alerts for unusual access patterns
The disruption of the GRU's DNS hijacking network through Operation Masquerade highlights the ongoing threat posed by state-sponsored cyber actors. Organizations must prioritize securing their network devices to prevent similar attacks.
ποΈ Story Timeline
Sources
Also covered by
The Good, the Bad and the Ugly in Cybersecurity β Week 15