The US Department of Justice (DoJ) and the FBI have officially disrupted a major cyberespionage campaign run by Russian military intelligence. As per the DoJ’s press release, the mission, dubbed Operation Masquerade, targeted a network of home and small-office routers that hackers had been using to spy on unsuspecting users.
The group behind the attack is a well-known unit of the Russian GRU, often called APT28, Fancy Bear, or Forest Blizzard. For your information, this group has been quietly compromising devices since at least 2024, focusing heavily on TP-Link routers. By exploiting known vulnerabilities, they managed to hijack thousands of devices across over 23 states and many other countries.
How your router was turned into a tool for spying
As Hackread.com reported earlier, the technical trick Fancy Bear used in this campaign is called DNS hijacking, using which the GRU hackers broke into routers and swapped DNS with their own fake versions. Once they had control, they used an automated filter to find high-value targets in the military and government.
For these specific people, the hackers would serve up fake login pages, like a counterfeit Microsoft Outlook Web Access screen, to steal unencrypted passwords, emails, and authentication tokens without the user ever realising something was wrong. Assistant Attorney General John A. Eisenberg noted that the “GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.”
The FBI’s technical cleanup
Rather than just issuing a warning, the FBI took the rare step of getting a court order to interact with the infected routers directly. The bureau sent a series of commands to these devices to reset their DNS settings and block the hackers’ access. Researchers from Microsoft Threat Intelligence, MIT Lincoln Laboratory, and Black Lotus Labs helped test these fixes to make sure they did not break anyone’s internet connection.
While the FBI has cleared the immediate threat, they are still urging the public to be careful. As Special Agent Ted E. Docks notes, the FBI “leveraged our private sector and international partners to unmask this malicious activity and remediate routers.” If you use a TP-Link device, you should check for the latest firmware updates immediately. If your router is an older model that no longer gets updates, it might be time to replace it.
