Russian Spies Used Americans’ Routers to Intercept Data - FBI Just Cut Them Off
By Ben SmithThe Justice Department and FBI said Tuesday they carried out a court-authorized operation to shut down a Russian military intelligence network that had been using compromised internet routers inside the United States as a platform to intercept sensitive data.
Officials tied the activity to GRU Unit 26165, also known as APT28, which exploited known vulnerabilities in widely used routers and altered their settings to redirect internet traffic through infrastructure it controlled. That access did not depend on hacking individual computers. By taking over the router, operators placed themselves in the path of the data and monitored traffic moving across the network to decide what to extract.
For selected targets, the network returned fraudulent DNS records that mimicked legitimate login services, including Microsoft Outlook Web Access, to capture passwords, authentication tokens, and email data.
FBI officials said the scale forced a direct response.
Today the FBI and @TheJusticeDept announced Operation Masquerade, a court-authorized technical disruption of Russian GRU infrastructure used to steal government, military, and critical infrastructure information.
— FBI Cyber Division (@FBICyberDiv) April 7, 2026
Since at least 2024, a cyber unit within Russian military… pic.twitter.com/r8LWbZrfQs
“Cyber actors linked to Russian military intelligence conducted a DNS hijacking campaign. These actors compromised routers and redirected traffic from connected devices to GRU-controlled infrastructure… The GRU compromised a vast number of household routers in the U.S. and around the world, as well as those used by small and medium-sized businesses to access high-value intelligence targets.
Given the scale of this campaign, we needed to act. The FBI developed and executed a court-authorized technical operation to harden compromised routers across the United States… Commands reverted manipulated DNS settings, collected evidence, cut off GRU access to compromised U.S. devices, and prevented re-exploitation.”
Officials said the court-approved commands confirmed how the network operated while avoiding the collection of user content, and the campaign dates back to at least 2024, when GRU-linked actors began exploiting small office and home office routers, often targeting devices that had not been updated or were no longer supported.
Investigators said the actors first compromised routers at scale, then filtered traffic moving through those devices to identify government, military, and infrastructure targets.
That filtering narrowed the operation from broad access to targeted collection without direct control of the end device.
“Without FBI intervention, the GRU would have continued intercepting encrypted traffic and stealing sensitive information, including emails, passwords, and authentication tokens… Russia’s cyber program is an enduring threat, and the FBI works with our partners every day to disrupt their operations and support victims across the country.”
The operation did not involve seizing devices, and users can reverse the changes by restoring factory settings or manually resetting the router's configuration.
Compromised routers were identified in at least 23 states, part of a network that extended beyond the United States and supported a broader intelligence effort.
“The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat… we will continue to use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our nation’s networks.”
Alongside the disruption, federal agencies released guidance outlining how the campaign worked and what steps users should take to secure their devices. The DOJ says the fixes are basic and tied to how the intrusion worked: Update firmware, verify DNS settings, disable remote access where it is not needed, and replace unsupported devices.
That focus on routers is not new. Federal regulators have warned that compromised network hardware can serve as an entry point into larger systems, including campaigns targeting U.S. infrastructure, because routers sit between users and the internet and handle traffic for every connected device on a network.
The FBI cut off that access inside the United States, removing the pathway the GRU relied on to move traffic through compromised routers.
Any router left unpatched can still be used the same way.
 |
⭐⭐⭐⭐⭐