The Department of Justice, United States Attorney David Metcalf, and the FBI announced on Apr. 7 a court-authorized operation to disrupt the U.S. segment of a network of compromised small office/home office routers controlled by Russia’s Main Intelligence Directorate (GRU) Military Unit 26165.
The announcement highlights ongoing efforts to counter cyber threats posed by foreign actors targeting American infrastructure and individuals. The routers were reportedly used for malicious Domain Name System hijacking operations aimed at intelligence targets worldwide, including those in military, government, and critical infrastructure sectors.
According to officials, since at least 2024, GRU actors exploited vulnerabilities in TP-Link routers globally to steal credentials and manipulate device settings. This allowed them to redirect DNS requests through servers under their control. For select targets, these servers provided fraudulent DNS records mimicking legitimate services such as Microsoft Outlook Web Access. This facilitated Actor-in-the-Middle attacks where sensitive information like passwords and emails was harvested from devices sharing the compromised networks.
“Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” said U.S. Attorney David Metcalf. “In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively.”
Assistant Attorney General for National Security John A. Eisenberg said: “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.” Special Agent in Charge Ted E. Docks of the FBI’s Boston Field Office added: “Operation Masquerade — led by FBI Boston — is the latest example of how we’re defending our homeland from Russia’s GRU... Now we’re asking everyone who has a router to secure it, update its firmware, and replace it if needed.”
Court documents indicate that the FBI developed commands sent to affected routers designed to collect evidence about GRU activity while resetting DNS settings back to those provided by Internet Service Providers—removing unauthorized access without impacting normal device functionality or collecting user content information.
Officials encourage all users with SOHO devices to upgrade firmware regularly, verify DNS resolver authenticity in their settings, review firewall rules against unwanted remote management exposure, consult official documentation on proper configuration through manufacturer websites like TP-Link's download center, and check if their equipment is listed among end-of-life products requiring replacement.
The FBI is working with internet service providers nationwide to notify potentially affected users covered under this operation's authorization. Users suspecting compromise are urged to contact local FBI field offices or file reports with the Internet Crime Complaint Center.
