INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

FBI Disrupts Russian Router Hacking Campaign

| 2026-04-09 15:34 CRITICAL HIGH
JSON
Executive Summary AI-generated
The recent FBI-led operation to knock Russian government hackers off routers has been a significant development in the ongoing battle against cyberespionage. The campaign, attributed to APT28 — also known as Forest Blizzard or Fancy Bear — compromised over 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide. This latest disruption is part of a larger series of operations aimed at Russian government hackers dating back to 2018. By targeting the vulnerabilities in small and home offices, the FBI has effectively cut off APT28's access to compromised devices, preventing them from spreading their malicious IP addresses. The success of Operation Masquerade, which involved seizing a domain used for communication with infected routers, is seen as a significant milestone in this ongoing effort.
Technical Mitigations AI-generated
* Router reset protocol: Implementing a router reset protocol that sends commands to the router to change its DNS settings, preventing hackers from exploiting those access points. * DNS filtering and blocking: Configuring network devices (e.g. firewalls, routers) to filter out malicious IP addresses and block traffic routed through compromised routers. * Endpoint detection and response (EDR): Implementing EDR solutions that can detect endpoint-based attacks on home and small-office networks, alerting users to potential threats before they become a problem. * Network segmentation: Segmenting the network into smaller, isolated areas using firewalls or other security controls, making it more difficult for hackers to spread their malware across the entire network.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation MasqueradeOperation MasqueradeOperation Dying EmberOperation Dying Ember APT28APT28 Cyclops BlinkCyclops BlinkVPNFilterVPNFilter
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
‎2026/03/10
The Trump administration published a cyber strategy document in March 2026.
organisation Trump
The disruption operation is in line with the cyber strategy the Trump administration published last month, with its emphasis on going on offense against malicious hackers and protecting critical infrastructure, Leatherman said.
organisation Leatherman
The disruption operation is in line with the cyber strategy the Trump administration published last month, with its emphasis on going on offense against malicious hackers and protecting critical infrastructure, Leatherman said.
‎April 7
The US Department of Justice teamed up with the FBI to neutralize a domain name system (DNS) hijacking network spanning across over 23 US states.
attribution FBI
The US Department of Justice (DoJ) announced on April 7, that it teamed up with the FBI to neutralize the US portion of the domain name system (DNS) hijacking network, which spanned across over 23 US states.
target_region United States
The US Department of Justice (DoJ) announced on April 7, that it teamed up with the FBI to neutralize the US portion of the domain name system (DNS) hijacking network, which spanned across over 23 US states.
attribution The US Department of Justice (DoJ
The US Department of Justice (DoJ) announced on April 7, that it teamed up with the FBI to neutralize the US portion of the domain name system (DNS) hijacking network, which spanned across over 23 US states.
general_metric 23 states
The US Department of Justice (DoJ) announced on April 7, that it teamed up with the FBI to neutralize the US portion of the domain name system (DNS) hijacking network, which spanned across over 23 US states.
attribution Microsoft Threat Intelligence
The scheme was also detailed on April 7 in reports by both the UK’s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence.
target_region United Kingdom
The scheme was also detailed on April 7 in reports by both the UK’s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence.
attribution National Cyber Security Centre
The scheme was also detailed on April 7 in reports by both the UK’s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence.
attribution NCSC
The scheme was also detailed on April 7 in reports by both the UK’s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence.
‎2026/04/08
The FBI advised individuals to update their routers' firmware and verify DNS settings due to potential vulnerabilities in APT28's access.
attribution FBI
They are also advised to take the following steps: Replace outdated routers: check if your router is on the manufacturer’s end-of-life or end-of-support list and upgrade if needed Update router firmware: download and install the latest firmware from the official router brand’s website Verify DNS settings: ensure your router’s DNS resolvers are legitimate Secure remote access: disable or restrict remote management features unless absolutely necessary Follow official guidance: review TP-Link’s (or your router brand’s) security documentation for proper setup “We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us,” said FBI’s Leatherman.
target_region United States
They are also advised to take the following steps: Replace outdated routers: check if your router is on the manufacturer’s end-of-life or end-of-support list and upgrade if needed Update router firmware: download and install the latest firmware from the official router brand’s website Verify DNS settings: ensure your router’s DNS resolvers are legitimate Secure remote access: disable or restrict remote management features unless absolutely necessary Follow official guidance: review TP-Link’s (or your router brand’s) security documentation for proper setup “We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us,” said FBI’s Leatherman.
attribution Update
They are also advised to take the following steps: Replace outdated routers: check if your router is on the manufacturer’s end-of-life or end-of-support list and upgrade if needed Update router firmware: download and install the latest firmware from the official router brand’s website Verify DNS settings: ensure your router’s DNS resolvers are legitimate Secure remote access: disable or restrict remote management features unless absolutely necessary Follow official guidance: review TP-Link’s (or your router brand’s) security documentation for proper setup “We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us,” said FBI’s Leatherman.
‎2026/04/09
The FBI took down the DNS hijacking network controlled by Russian hackers APT28, which had compromised thousands of devices across over 23 states and many other countries.
threat_actor APT28
US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers.
A large-scale network of internet routers compromised by Russian hacking group APT28 to harvest credentials from victims of intelligence value has been taken down in the US.
Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide.
As described in court documents, unsealed in the Eastern District of Pennsylvania, the FBI developed a series of commands to send to US-based routers compromised by APT28.
Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’.
The group behind the attack is a well-known unit of the Russian GRU, often called APT28, Fancy Bear , or Forest Blizzard .
Both the UK and US government agencies attributed APT28 to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165.
In several campaigns dating back to 2024, APT28 has been exploiting vulnerabilities in small office/home office (SOHO) routers – and especially TP-Link routers – to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations.
These commands were designed to collect evidence regarding the threat group’s activity, reset DNS settings – remove DNS resolvers installed by APT28 and force routers to obtain legitimate DNS resolvers from their internet service providers (ISPs) – and to prevent the hackers from exploiting the original means of unauthorized access.
organisation DNS
US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers.
The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.
As Hackread.com reported earlier, the technical trick Fancy Bear used in this campaign is called DNS hijacking, using which the GRU hackers broke into routers and swapped DNS with their own fake versions.
victims 200 organizations
Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide.
organisation DoJ
As per the DoJ’s press release , the mission, dubbed Operation Masquerade, targeted a network of home and small-office routers that hackers had been using to spy on unsuspecting users.
After testing the operation “extensively” on firmware and hardware for affected TP-Link routers, the DoJ confirmed it did not impact the routers’ normal functionality or collect the legitimate users’ content information.
organisation Operation Masquerade
The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.
organisation Domain Name System
The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.
organisation IP
“All those devices now, once they’re connected to that Wi-Fi, are getting the malicious IP addresses that they are then routing their traffic through, and it gives the Russian GRU tremendous access to the content offered through a router itself.”
organisation SOHO
In several campaigns dating back to 2024, APT28 has been exploiting vulnerabilities in small office/home office (SOHO) routers – and especially TP-Link routers – to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations.
organisation Hackread.com
As Hackread.com reported earlier, the technical trick Fancy Bear used in this campaign is called DNS hijacking, using which the GRU hackers broke into routers and swapped DNS with their own fake versions.
organisation Fancy Bear
As Hackread.com reported earlier, the technical trick Fancy Bear used in this campaign is called DNS hijacking, using which the GRU hackers broke into routers and swapped DNS with their own fake versions.
organisation GRU
As Hackread.com reported earlier, the technical trick Fancy Bear used in this campaign is called DNS hijacking, using which the GRU hackers broke into routers and swapped DNS with their own fake versions.
organisation Microsoft Outlook Web Access
For these specific people, the hackers would serve up fake login pages, like a counterfeit Microsoft Outlook Web Access screen, to steal unencrypted passwords, emails, and authentication tokens without the user ever realising something was wrong.
organisation The White House
The White House has kept the public and Capitol Hill in the dark about strategy implementation, however.
organisation Capitol Hill
The White House has kept the public and Capitol Hill in the dark about strategy implementation, however.
organisation CyberScoop
“We moved from just sinkholing domains to actually taking steps that block them at the door of these routers, pulled any capability off of those routers so they were no longer able to collect the sensitive information, and then prohibited them from getting back in.” Written by Tim Starks Tim Starks is senior reporter at CyberScoop.
organisation The Washington Post
His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly.
organisation POLITICO
His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly.
Tactical Metrics
Metrics
victims
200
Organizations
Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide.
Intelligence Sources
HackRead 2026-04-08
Infosecurity-Magazine 2026-04-08
CyberScoop 2026-04-09