The Justice Department and FBI on Tuesday revealed they have conducted a court-approved technical operation to neutralize part of a network of small office and home office routers in the United States that become commandeered by a unit of Russia’s military intelligence.
Russian Military Unit 26165—also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit—is part of Russia’s Main Intelligence Directorate of the General Staff and has compromised routers to execute malicious Domain Name System (DNS) hijacking operations across the planet.
They targeted individual U.S. military members, the U.S. government, and critical infrastructure in which the Russian government expected to gain intelligence.
U.S. Attorney David Metcalf for the Eastern District of Pennsylvania said critical data had been commandeered.
“In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively,” Metcalf said. “Working with the FBI—and our partners around the world—we are committed to disrupting and exposing such threats to our nation’s cybersecurity.”
Assistant Director Brett Leatherman of FBI’s Cyber Division said U.S. and global routers had been compromised and that the FBI will continue to use its authorities to identify and impose costs on state-sponsored actors who target the American people.
“Given the scale of this threat, sounding the alarm wasn’t enough,” Leathernan said. “The FBI conducted a court-authorized operation to harden compromised routers across the United States.”
The FBI operation, called Operation Masquerade, is the most recent U.S. action to undermine continuous Russian state-sponsored cyber threats that exploit everyday consumer devices.
Since 2024, GRU actors have attacked known vulnerabilities in TP-Link routers worldwide to steal administrative credentials. They then obtained unauthorized access to devices and changed their settings to redirect DNS queries to GRU-controlled malicious resolvers.
The actors set up automated filters to identify high-value traffic before intercepting it. The malicious resolvers returned fraudulent DNS records that appeared to be legitimate services, including Microsoft Outlook Web Access.
Hellbound and Down 