Image generated with ChatGPT
Products are selected by our editors, we may earn commission from links on this page.
Your home router may have been feeding data to Russian military intelligence. A court-authorized federal operation called Operation Masquerade, announced April 7, 2026, dismantled part of a network run by the GRU unit known as APT28, also called Fancy Bear and Forest Blizzard. The group had quietly hijacked thousands of routers across more than 23 states, redirecting traffic through servers it controlled and harvesting login credentials without victims knowing.
This article was created with the assistance of AI and reviewed by our editorial team for accuracy and clarity.
APT28, the same GRU unit responsible for the 2016 Democratic National Committee hack and repeated attacks on NATO members, ran this operation with patience. Exploiting unpatched firmware and factory-default passwords that most users never change, the group worked its way into small office and home office routers globally. At its peak in December 2025, more than 18,000 routers across at least 120 countries were feeding data to GRU-controlled servers.
The attack used a technique called DNS hijacking. Every time a device on the network visited a website, that request passed through the router first. APT28 modified router settings so those requests were rerouted to GRU-controlled servers instead of legitimate ones. The result: agents could see traffic unencrypted. According to a Microsoft Threat Intelligence report, DNS hijacking gave APT28 “persistent, passive visibility and reconnaissance at scale” across thousands of compromised households and organizations.
The scale inside the United States was significant. Microsoft identified more than 200 organizations and at least 5,000 consumer devices affected. The NSA confirmed the operation targeted people connected to military, government, and critical infrastructure sectors. Confirmed targets spanned the U.S., Czech Republic, Italy, Lithuania, Poland, Ukraine, and the UAE. APT28 filtered its broad pool of hijacked devices down to those of specific intelligence value, running an automated process to identify DNS queries worth intercepting.
The UK’s National Cyber Security Centre identified 23 TP-Link router models as specifically targeted, while noting the list is likely incomplete.
The FBI’s announcement focused on one model: the TP-Link TL-WR841N, a Wi-Fi 4 device first released in 2007. A TP-Link Systems spokesperson confirmed to CNET that all affected models had reached end-of-service status years ago. The company said it developed security patches for select legacy models, but strongly urged users with these devices to replace them.
Federal authorities obtained court authorization to send commands directly to compromised routers in the U.S., resetting DNS settings and cutting off GRU access. According to the DOJ announcement, the operation was tested extensively on affected hardware before deployment and did not disrupt normal router function or collect users’ data. However, the technical reset only removed the GRU’s access point. The deeper vulnerabilities behind the compromise remained entirely on the devices, and on the users who own them.
Security experts say the risk is structural. According to Rik Ferguson, vice president of security intelligence at Forescout, the router holds a uniquely powerful position in any network: “All of your communication, all of your traffic, has to pass through that device.” The longer a router goes without updates, the wider the opening. Daniel Dos Santos, vice president of research at the same firm, told CNET there is “a big trend of exploiting routers these days,” covering both consumer and enterprise devices equally.
The NSA and FBI jointly outlined five protective steps: replace outdated routers no longer receiving security updates; update firmware regularly or enable automatic updates; reboot the router, along with phones and computers, at least once a week; change both the router’s admin credentials and the Wi-Fi password, rotating the latter every six months; and disable remote management, which attackers commonly exploit to alter device settings without the owner’s knowledge. Each step addresses a specific vulnerability APT28 used in this operation.
Among the five recommended steps, changing default credentials is the one most users skip, and the one attackers count on. According to Ferguson, there is “a whole underground economy” built on harvested credentials, sourced through direct attacks or purchased from other breaches. Factory-set usernames and passwords are publicly documented, making them trivially easy to test at scale. The FBI also specifically recommended using a VPN for any remote workers accessing sensitive data, as encrypted traffic limits what DNS hijacking can capture.
The federal operation severed APT28’s access to thousands of compromised devices. It did not replace a single outdated router, update a single firmware version, or change a single default password. The FBI’s Internet Crime Complaint Center is available for users who believe their devices were affected. The five steps outlined by the NSA and FBI are not suggestions for IT professionals. For anyone running a router no longer receiving security patches, they represent the minimum necessary response to an active and documented threat.
Source: Octavio Hoyos / Shutterstock Few policy reversals carry as much symbolic weight as a…
Image generated with ChatGPT A Google software engineer allegedly knew which celebrities would top the…
Source: Shutterstock A man nearly fainted. The woman sitting next to him barely flinched. That…
© Image generated with ChatGPT - This image includes a synthetic performer. You step out…
Source: Fanta Media / Shutterstock The companies that assemble and manufacture the world's most popular…
Source: Shutterstock Your annual raise didn't disappear because the company struggled. It disappeared because the…