The Justice Department on Tuesday announced that it had stopped Russia’s military intelligence agency from using hacked U.S. routers to maliciously redirect internet traffic and steal data from victims that include governments and critical infrastructure operators.
Operatives of the Russian GRU have spent several years breaking into TP-Link small office and home office (SOHO) routers around the world and reconfiguring them to send DNS requests through Kremlin-controlled servers, which allowed Moscow to collect internet traffic and even passwords, emails and other sensitive information from victim networks. In response, the FBI launched “Operation Masquerade,” sending commands to hacked routers that collected forensic data and reset their DNS settings to erase Russia’s foothold in the devices.
DOJ announced the operation hours after Microsoft revealed Russia’s abuse of SOHO routers. “For nation-state actors like Forest Blizzard,” Microsoft said, “DNS hijacking enables persistent, passive visibility and reconnaissance at scale.”
Microsoft said it had evidence that the GRU hacking group — which researchers have dubbed APT28, Fancy Bear and Forest Blizzard — had been breaking into SOHO routers since at least August 2025. Federal prosecutors said the campaign had been ongoing since at least 2024.
In some cases, Microsoft and the government said, Russia used its access to victim networks to conduct adversary-in-the-middle (AiTM) attacks on secure connections to the Outlook email platform. “An automated filtering process” helped Russia select potentially high-value DNS requests to intercept, federal prosecutors said.
Hijacking DNS traffic to spoof Outlook and other widely used online services “enables the interception of cloud-hosted content,” Microsoft said, “impacting numerous sectors including government, information technology (IT), telecommunications, and energy — all usual targets for this actor.” The company said it had observed the hackers stealing data from “at least three government organizations in Africa.”
Russia’s broad access to compromised routers could help it dramatically scale up its adversary-in-the-middle attacks, Microsoft researchers warned. “Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”
The hackers could also use their access to routers for purposes other than information collection, Microsoft said, including delivering malware or conducting denial-of-service attacks. The company said it had not seen that activity so far.
Urgent recommendations to router owners
Businesses can avoid falling victim to similar attacks by upgrading their routers’ firmware, verifying their DNS settings, firewalling remote-management devices and replacing end-of-life equipment.
“Block known or malicious domains to prevent DNS-based attacks, and maintain detailed DNS logs to monitor, investigate, and gain insight into anomalous DNS traffic,” Microsoft said.
The UK.’s National Cyber Security Centre also published an advisory about the hacking campaign with recommendations. “If you cannot move off out-of-date platforms and applications straight away,” the agency said, “there are short term steps you can take to improve your position.”
Ramping up cyber deterrence efforts
Operation Masquerade is the latest in a yearslong series of FBI operations to kick foreign government hackers off of U.S. routers. The FBI has described those operations as part of its increasingly aggressive strategy of combating malicious cyber activity.
“Given the scale of this threat, sounding the alarm wasn’t enough,” Brett Leatherman, the head of the FBI’s Cyber Division, said in a statement about the government’s operation. “The FBI will continue to use its authorities to identify and impose costs on state-sponsored actors who target the American people.”
