U.S. Disrupts Russian GRU’s Global Router Hijacking Campaign Targeting Governments and Critical Infrastructure
The U.S. Department of Justice (DOJ) announced on Tuesday that it had dismantled a years-long cyberespionage operation by Russia’s military intelligence agency, the GRU, which had hijacked thousands of small office and home office (SOHO) routers worldwide to intercept sensitive data. The campaign, active since at least 2024 (with evidence dating back to August 2025), exploited TP-Link routers to reroute DNS requests through Kremlin-controlled servers, enabling the theft of emails, passwords, and other confidential information from governments, critical infrastructure operators, and private networks.
The FBI’s "Operation Masquerade" neutralized the threat by remotely resetting compromised routers and collecting forensic evidence, effectively severing Russia’s access. The operation followed a Microsoft report revealing that the GRU’s hacking group tracked as APT28, Fancy Bear, or Forest Blizzard had weaponized DNS hijacking to conduct adversary-in-the-middle (AiTM) attacks, particularly targeting Microsoft Outlook connections. An automated filtering system allowed the hackers to prioritize high-value targets, including three African government organizations, as well as entities in IT, telecommunications, and energy sectors.
Microsoft warned that the scale of compromised routers could amplify future AiTM attacks, though no malware delivery or denial-of-service activity has been observed yet. The GRU’s tactics reflect an evolution in its playbook, marking the first time the group has used DNS hijacking at scale to exploit edge devices for large-scale surveillance.
The disruption aligns with the FBI’s broader strategy to proactively counter state-sponsored cyber threats. Brett Leatherman, head of the FBI’s Cyber Division, emphasized the agency’s commitment to imposing costs on foreign adversaries targeting U.S. interests. The UK’s National Cyber Security Centre (NCSC) also issued an advisory on the campaign, underscoring the risks of unpatched or end-of-life networking equipment.
Source: https://www.cybersecuritydive.com/news/russia-routers-hacking-dns-fbi-disruption/816960/
TP-Link Systems Inc. cybersecurity rating report: https://www.rankiteo.com/company/tp-link
"id": "TP-1775665616",
"linkid": "tp-link",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Africa',
'name': 'Three African government organizations',
'type': 'Government'},
{'industry': 'IT, Telecommunications, Energy',
'location': 'Global',
'type': 'Private Sector'}],
'attack_vector': 'Exploiting unpatched/vulnerable SOHO routers (TP-Link), DNS '
'hijacking',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely (emails, '
'passwords)',
'sensitivity_of_data': 'High (government and critical '
'infrastructure data)',
'type_of_data_compromised': 'Emails, passwords, confidential '
'communications'},
'date_detected': '2024',
'description': 'The U.S. Department of Justice (DOJ) announced the '
'dismantling of a years-long cyberespionage operation by '
'Russia’s military intelligence agency, the GRU, which '
'hijacked thousands of small office and home office (SOHO) '
'routers worldwide to intercept sensitive data. The campaign '
'exploited TP-Link routers to reroute DNS requests through '
'Kremlin-controlled servers, enabling the theft of emails, '
'passwords, and other confidential information from '
'governments, critical infrastructure operators, and private '
'networks.',
'impact': {'data_compromised': 'Emails, passwords, confidential information',
'identity_theft_risk': 'High (PII exposure)',
'operational_impact': 'Data interception, surveillance, potential '
'future amplification of AiTM attacks',
'systems_affected': 'Thousands of SOHO routers (TP-Link), '
'government and critical infrastructure '
'networks'},
'initial_access_broker': {'entry_point': 'Vulnerable SOHO routers (TP-Link)',
'high_value_targets': 'Governments, critical '
'infrastructure, '
'IT/telecom/energy sectors'},
'investigation_status': 'Disrupted (Operation Masquerade)',
'lessons_learned': 'Risks of unpatched/end-of-life networking equipment, '
'evolution of GRU’s cyberespionage tactics, importance of '
'proactive disruption of state-sponsored threats',
'motivation': 'Cyberespionage, surveillance, data theft',
'post_incident_analysis': {'corrective_actions': 'Proactive disruption by '
'FBI, public advisories, '
'recommendations for '
'patching and replacing '
'vulnerable equipment',
'root_causes': 'Exploitation of '
'unpatched/end-of-life SOHO '
'routers, DNS hijacking, automated '
'filtering for high-value targets'},
'recommendations': 'Patch and update SOHO routers, monitor DNS traffic for '
'anomalies, replace end-of-life equipment, enhance threat '
'intelligence sharing',
'references': [{'source': 'U.S. Department of Justice (DOJ)'},
{'source': 'Microsoft Threat Intelligence'},
{'source': 'UK National Cyber Security Centre (NCSC) '
'Advisory'}],
'response': {'communication_strategy': 'Public disclosure by DOJ, Microsoft, '
'and NCSC advisories',
'containment_measures': 'Remote reset of compromised routers, '
'forensic evidence collection',
'law_enforcement_notified': 'Yes (FBI, DOJ)',
'remediation_measures': 'Severing GRU’s access to hijacked '
'routers',
'third_party_assistance': 'Microsoft (threat intelligence), FBI '
'(Operation Masquerade)'},
'stakeholder_advisories': 'NCSC advisory on risks of unpatched networking '
'equipment',
'threat_actor': 'GRU (APT28, Fancy Bear, Forest Blizzard)',
'title': 'U.S. Disrupts Russian GRU’s Global Router Hijacking Campaign '
'Targeting Governments and Critical Infrastructure',
'type': 'Cyberespionage, DNS Hijacking, Adversary-in-the-Middle (AiTM) Attack',
'vulnerability_exploited': 'Unpatched or end-of-life networking equipment '
'(TP-Link routers)'}