Justice Department Counters Russian Military Intelligence Unit Attack On US Targets

The Justice Department and FBI have conducted a court-approved operation to neutralize part of a network of compromised routers in the U.S. These routers were commandeered by Russian military intelligence unit 26165, also known as APT28. This group has been hijacking Domain Name System (DNS) operations globally to gather intelligence. Targets included U.S. military members, the U.S. government, and critical infrastructure. The FBI's operation, called Operation Masquerade, aimed to harden these compromised routers. Since 2024, the GRU has exploited vulnerabilities in TP-Link routers to steal credentials and redirect DNS queries. They used malicious resolvers to perform man-in-the-middle attacks, stealing sensitive data. Technical contributions came from Lumen, Microsoft, and MIT Lincoln Laboratory. Leading the operation, FBI Boston used advanced technology and partnered with private and international entities. Court documents confirmed the operation reset DNS settings, shut down unauthorized access, and did not affect normal router functions or collect personal data. Affected users are advised to replace old devices, upgrade firmware, and check DNS settings. This GRU unit has a history of cyber-attacks, including targeting logistics companies aiding Ukraine and French entities. The Justice Department previously dismantled a GRU-controlled botnet targeting similar routers worldwide.