FBI Takes Down Russian Campaign That Compromised Thousands of Routers

U.S. Justice Department and FBI actions disrupted a worldwide network of hacked SOHO routers controlled by Russia’s GRU intelligence agency in a campaign dubbed “Operation Masquerade.”

These state-sponsored hackers compromised thousands of TP-Link routers since at least 2024, exploiting known vulnerabilities to steal credentials and gain access.

They manipulated DNS settings to force infected routers to route traffic through malicious, GRU-controlled resolvers.

While initially indiscriminate, the GRU used automated filters to target traffic from military, government, and critical infrastructure personnel.

For specific victims, the resolvers served fake DNS records spoofing services like Microsoft Outlook Web Access.

This allowed “Actor-in-the-Middle” attacks on encrypted traffic, enabling silent harvesting of unencrypted passwords, tokens, and emails from devices on the infected network.

The hacked routers became active tools for foreign espionage.

To disrupt the operation, the FBI secured court authorization and deployed commands to US-based compromised routers.

This action collected evidence, purged malicious DNS resolvers, restored legitimate ISP DNS settings, and blocked attacker access routes.

The intervention, tested by MIT Lincoln Laboratory, locked out threat actors without disrupting internet functionality or accessing private user data.

Private sector partners like Microsoft Threat Intelligence and Lumen’s Black Lotus Labs provided crucial technical support during discovery.

While the FBI neutralized the immediate US threat, the risk persists for globally unpatched hardware.

Security agencies urge SOHO router owners to:

  • Replace any routers that are end-of-life or no longer receive security updates.
  • Update the router firmware to the latest version via the manufacturer’s official website.
  • Manually verify the authenticity of the DNS resolvers listed in the router’s admin settings.
  • Implement strict firewall rules to block public exposure of remote management services.

The FBI is working with ISPs to notify users whose devices were remediated. Affected users should reset their router to factory defaults, apply the latest security patches, and report the incident to the FBI’s IC3.

Related Articles

Back to top button