A court‑approved cyber crackdown has dismantled Russian espionage servers exploiting router firmware flaws to steal credentials from users across 120 countries.
In a sweeping international cyber crackdown this week, the US and UK have disrupted a Russian military intelligence campaign that has so far hijacked tens of thousands of home and small-office routers worldwide to steal sensitive credentials and governmental data.
The US Justice Department has said the court-approved action, known as Operation Masquerade, targeted servers and routers deployed by Russia’s Main Intelligence Directorate (GRU), specifically its Military Unit 26165 — the hacking outfit commonly referred to as APT28, Fancy Bear, or Forest Blizzard. Working from the Eastern District of Pennsylvania, the Federal Bureau of Investigations (https://www.ic3.gov/PSA/2026/PSA260407FBI) had executed commands on compromised US-based TP-Link routers to collect forensic data, reset hijacked DNS configurations, and sever unauthorized access without altering device owners’ content.
Investigations reveal that, since 2024, APT28 had exploited known router flaws to redirect user traffic through attacker-controlled servers, enabling interception of plaintext credentials, authentication tokens, and Microsoft Office 365 logins. Microsoft’s threat researchers have attributed the campaign to GRU-linked espionage interests targeting over 200 entities and thousands of consumer devices — including government, defense, energy, and telecommunications networks across nearly 120 countries.
Britain’s National Cyber Security Centre (NCSC) has corroborated the findings, stating that APT28 expanded its tactics into 2026 by using both TP-Link and MikroTik routers as malicious DNS resolvers through leased virtual private servers. NCSC analysts have categorized the activity as “opportunistic”, indicating an initial broad targeting strategy narrowed later to high-value intelligence priorities.
Officials emphasized the global scale of cooperation underpinning the takedown. The FBI said the operation involved partners from more than 15 nations, aided by private-sector intelligence professionals. Special Agent Ted E Docks had noted in an official statement: “The GRU hijacked routers belonging to unsuspecting users in over 23 US states, turning them into espionage platforms.”
Authorities have urged users to update router firmware and change passwords, noting that restored devices could again be misused if factory resets reverse the FBI’s remediation steps.
As threats from Russian cyber units remain entrenched, US and UK officials warn that similar infrastructure-level interceptions could enable future malware campaigns or denial-of-service operations even after the dismantling this GRU network.
