Operation Masquerade: FBI, NSA, and DOJ Dismantle Russian GRU Router Hijacking Network
Some links in this article are affiliate links. We may earn a small commission if you purchase through them, at no extra cost to you. See our privacy policy for details.
Operation Masquerade: FBI, NSA, and DOJ Dismantle GRU Router Hijacking Network
Your home router might have been a Russian intelligence asset. That is not speculation. That is what the FBI, NSA, and Department of Justice confirmed on April 7, 2026, when they announced the court-authorized disruption of a DNSThe system that translates human-readable domain names into IP addresses so devices can find each other on a network. Read more → hijacking network operated by Russian military intelligence.
The operation’s name: Masquerade.
The Threat
GRU Unit 26165, the 85th Main Special Service Center (85th GTsSS), ran this campaign. You might know them better as APT28 or Fancy Bear. They are the same group behind the 2016 DNC breach, the SolarWinds campaign follow-on operations, and a long list of espionage operations targeting NATO governments.
This time, they went after something most people never think about: the DNS resolver settings on consumer-grade routers.
How It Worked
The attack chain started with CVE-2023-50224, a remote code execution vulnerability in TP-Link router firmware. The GRU exploited this flaw to gain administrative access to devices without any user interaction. No phishingA social engineering attack that uses fraudulent emails, messages, or websites to trick people into revealing passwords, financial information, or installing malware. Read more → email. No credential theft. Just a vulnerable router connected to the internet.
Once inside, the operators modified the router’s DNS configuration to point at GRU-controlled resolvers. Every device on that network, laptops, phones, smart home gear, then had its DNS queries routed through Russian intelligence infrastructure.
That enabled an Adversary-in-the-Middle (AiTM) attack chain. The GRU resolvers could redirect traffic to spoofed login pages, intercept authentication tokens, inject malicious payloads into unencrypted connections, and quietly map every device and service on the target network. The compromised router owners had no visible indication anything had changed.
This follows a pattern. In February 2024, a joint cybersecurity advisory warned that Russian state actors were compromising Ubiquiti EdgeRouters for the same purpose: converting consumer networking equipment into espionage infrastructure. Operation Masquerade shows the GRU simply shifted to a different vendor when the first vector got burned.
The Scale
Routers were compromised across 23 U.S. states. The FBI’s Internet Crime Complaint Center published a public service announcement confirming the geographic spread. This was not a targeted strike against defense contractors or government agencies. It was a broad collection operation touching residential and small business networks.
As FBI Cyber Division Assistant Director Brett Leatherman told CyberScoop, the operation represented a shift in Russian cyber tradecraft toward leveraging commodity hardware at scale rather than investing in bespoke implants for high-value targets.
Microsoft threat intelligence confirmed overlap between the infrastructure used in Operation Masquerade and previous APT28 campaigns targeting European government networks, indicating this was one node in a larger global operation.
What Stopped It
The DOJ obtained court authorization in the Eastern District of Pennsylvania to disrupt the network. The operation, executed jointly by the FBI and NSA, neutralized the GRU-controlled DNS infrastructure and severed the command-and-control links to compromised routers.
This is the same legal and operational playbook the FBI used to dismantle the Cyclops Blink botnetA network of compromised devices (bots) controlled remotely by an attacker to carry out coordinated attacks like DDoS, spam, or credential stuffing. Read more → in 2022 and the GRU’s Ubiquiti router network in 2024. Court-authorized, technically precise, and focused on cutting the adversary’s access without bricking the devices.
The NSA’s press release emphasized that the disruption was a joint effort across intelligence and law enforcement, reflecting the growing convergence of cyber defense and counterintelligence operations.
What You Should Do
The takedown cut the GRU’s access to the command infrastructure. It did not patch your router. If you have a TP-Link device, assume it needs attention.
Immediate actions:
-
Check your DNS settings. Log into your router’s admin panel. If the DNS servers are set to anything you did not configure, your device was likely compromised. Reset them to your ISP’s defaults or a trusted resolver (1.1.1.1, 8.8.8.8, 9.9.9.9).
-
Update firmware. Check TP-Link’s support site for the latest firmware addressing CVEA standardized identifier for publicly known cybersecurity vulnerabilities, enabling organizations to track and prioritize security patches. Read more →-2023-50224. Apply it now.
-
Factory reset. If your router was compromised, a firmware update alone may not be sufficient. Factory reset the device, apply the latest firmware, and reconfigure from scratch.
-
Change credentials. If the default admin password was still in place, that was part of the problem. Set a strong, unique password for the router admin interface.
-
Disable remote management. Unless you have a specific operational need for remote admin access, turn it off. It is an attack surface you do not need.
-
Consider replacement. If your TP-Link device is end-of-life and no longer receiving firmware updates, replace it. Running unpatched networking equipment on the internet is not a risk you can manage your way out of.
-
Report. If you believe your router was compromised, file a report with the FBI’s IC3.
The Bottom Line
Foreign intelligence services are not just targeting Fortune 500 companies and government agencies. They are targeting the $40 router sitting on your desk. The device you set up once and forgot about is exactly the kind of infrastructure a nation-state operator loves: always on, rarely monitored, broadly trusted by every device behind it.
Operation Masquerade is a reminder that network security starts at the edge. Your router is your perimeter. Treat it like one.
Sources:
- FBI IC3 Public Service Announcement (PSA260407)
- NSA Press Release: Operation Masquerade
- DOJ: Court-Authorized Disruption of DNS Hijacking Network
- Joint CSA: Russian Actors Use Compromised Routers (Feb 2024)
- CyberScoop: FBI Operation Masquerade Interview with Brett Leatherman
- Cybersecurity Dive: Russia Router Hacking DNS FBI Disruption
