The U.S. Department of Justice, FBI, National Security Agency and international partners announced the disruption of a network of small-office and home-office routers used for malicious hijacking operations, according to an April 7 press release from the NSA.
The covert campaign hit more than 200 organizations and about 5,000 home devices across more than 23 states, MassLive previously reported.
The Russian GRU’s 85th Main Special Service Center — a cyber group also known as APT28, Fancy Bear and Forest Blizzard — has been exploiting vulnerable routers globally since at least 2024.
Under a court order, an FBI Boston-led effort called Operation Masquerade sent commands directly to the compromised routers to sever Russian access and reset the devices to normal without collecting personal data.
While the immediate threat was severed, federal officials caution that the fix is not permanent unless property owners update their hardware.
“Now we’re asking everyone who has a router to secure it, update its firmware, and replace it if needed,” Ted Docks, special agent in charge of FBI Boston, said in a statement obtained by MassLive.
The GRU cyber actors targeted vulnerable edge devices, particularly TP-Link routers, to alter domain name system settings, according to a joint public service announcement released by the FBI and 15 international intelligence partners.
By forcing connected laptops and phones to inherit these modified settings, hackers transparently routed user traffic through actor-controlled infrastructure.
The operation allowed the hackers to provide fraudulent website answers for specific domains, including Microsoft Outlook Web Access, to launch adversary-in-the-middle attacks.
These attacks enabled the Russian government to harvest passwords, authentication tokens and sensitive emails — data normally protected by encryption — when users bypassed web browser certificate warnings.
According to the federal guidance, device owners should immediately change default usernames and passwords, disable remote management interfaces from the internet and update to the latest firmware versions.
Further, security officials warn that older equipment no longer supported by manufacturer software updates must be replaced to reduce the attack surface.
Organizations that allow remote work are also urged to review policies regarding employee access to sensitive data via virtual private networks.
If users suspect their network has been targeted or compromised by the Russian GRU intrusion, authorities recommend reporting the activity directly to a local FBI field office or filing a formal complaint with the Internet Crime Complaint Center.
© 2026 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
