Large-Scale Internet Router Network Compromised by Russian Hackers Taken Down in the U.S.
In a significant cyber defense operation, the U.S. Department of Justice (DoJ) announced on April 7 the dismantling of a vast network of compromised internet routers, believed to have been hijacked by the Russian hacking group APT28. This operation was aimed at harvesting credentials of intelligence value from various victims. The move marks a proactive stance against the ongoing cyber threats posed by foreign adversaries.
The collaboration between the DoJ and the FBI was pivotal in neutralizing the U.S. segment of a domain name system (DNS) hijacking network that spread across more than 23 states. The coordinated effort highlighted the seriousness of the threat posed by APT28, which has a history of exploiting vulnerabilities in internet-connected devices, particularly small office and home office (SOHO) routers.
Reports published on the same day by both the UK’s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence provided further details about this scheme. According to these reports, APT28, also known as Fancy Bear, began its malicious activities dating as far back as 2024, targeting weaknesses specifically in small-scale routers, including those manufactured by TP-Link. By redirecting internet traffic through maliciously controlled DNS servers, the group was able to capture sensitive credentials from targeted organizations.
The attribution of this hacking group to the Russian military intelligence agency, the GRU, emphasizes the serious implications of state-sponsored cyber activities. David Metcalf, the U.S. Attorney for the Eastern District of Pennsylvania, articulated the gravity of the situation, stating, "Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data. In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively."
Operation Masquerade: A Tactical Response to Cyber Threats
The operation, dubbed “Operation Masquerade,” was spearheaded by the FBI’s Boston Field Office, following court authorization. Legal documents unsealed in the Eastern District of Pennsylvania revealed that the FBI developed specific commands intended to rectify the compromised conditions of these routers. These commands served multiple purposes: to gather evidence about APT28’s activities, reset the DNS settings altered by the hackers, and prevent any unauthorized access that the attackers had previously exploited.
Before deployment, the FBI thoroughly tested the operation on the firmware and hardware of affected TP-Link routers to ensure that the typical functionalities of these devices would remain unaffected. The Department of Justice reassured the public that their measures did not infringe upon legitimate users’ data. “The court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets,” the DoJ stated, encouraging transparency and public safety in their efforts.
To further assist users, the FBI is collaborating with Internet Service Providers (ISPs) to inform those who utilize SOHO routers about the measures taken during Operation Masquerade. The initiative involved various agencies, including the Philadelphia Field Office and the National Security Cyber Division, showcasing a coordinated governmental response to an intricate cyber threat.
Brett Leatherman, Assistant Director of the FBI’s Cyber Division, remarked on the scale of the threat: “GRU actors compromised routers in the U.S. and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough.” His comments underscore the necessity for active intervention in contrast to traditional reactive approaches.
John A. Eisenberg, Assistant Attorney General for National Security, highlighted the ongoing concerns regarding cyber threats from foreign entities, labeling the Russian campaign as “a serious and persistent threat.” He pledged the department’s unwavering commitment to utilizing every available resource to detect intrusions and expel hostile actors from U.S. networks.
Guidance for SOHO Router Users
In light of these events, the DoJ has strongly urged SOHO router users to be vigilant and take immediate action if they suspect their device has been compromised. Those affected are encouraged to reach out to their local FBI field office or file a report through the FBI’s Internet Crime Complaint Center (IC3).
Users should consider taking the following steps to secure their routers:
- Replace outdated routers: Confirm whether the device is on the manufacturer’s end-of-life or end-of-support list and upgrade as necessary.
- Update router firmware: Regularly check and install the latest firmware from the official brand’s website.
- Verify DNS settings: Ensure that the DNS resolvers being used are legitimate and secure.
- Secure remote access: Limit or disable remote management features unless absolutely necessary.
- Follow official guidance: Attend to security documentation provided by TP-Link or other router brands for the correct setup.
FBI’s Leatherman concluded the advisement by stating, “We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us.” This call to joint vigilance highlights the critical role that individual users can play in safeguarding national cybersecurity infrastructure against increasingly sophisticated threats.