A large-scale network of internet routers compromised by Russian hacking group APT28 to harvest credentials from victims of intelligence value has been taken down in the US.

The US Department of Justice (DoJ) announced on April 7, that it teamed up with the FBI to neutralize the US portion of the domain name system (DNS) hijacking network, which spanned across over 23 US states.

The scheme was also detailed on April 7 in reports by both the UK’s National Cyber Security Centre (NCSC) and Microsoft Threat Intelligence.

In several campaigns dating back to 2024, APT28 has been exploiting vulnerabilities in small office/home office (SOHO) routers – and especially TP-Link routers – to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations.

Both the UK and US government agencies attributed APT28 to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165.

David Metcalf, the US Attorney for the Eastern District of Pennsylvania, said: “Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data. In the face of continued aggression by our nation-state adversaries, the US government will respond just as aggressively.”

Operation Masquerade: Hijacking the DNS Hijacking Network

The US effort, dubbed “Operation Masquerade,” was led by FBI Boston after authorization by a court.

As described in court documents, unsealed in the Eastern District of Pennsylvania, the FBI developed a series of commands to send to US-based routers compromised by APT28.

These commands were designed to collect evidence regarding the threat group’s activity, reset DNS settings – remove DNS resolvers installed by APT28 and force routers to obtain legitimate DNS resolvers from their internet service providers (ISPs) – and to prevent the hackers from exploiting the original means of unauthorized access.

After testing the operation “extensively” on firmware and hardware for affected TP-Link routers, the DoJ confirmed it did not impact the routers’ normal functionality or collect the legitimate users’ content information.

“The court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets with hardware reset buttons,” said the DoJ statement.

“Legitimate users can also reverse changes by logging into web management pages and restoring desired settings (e.g., factory default settings).”

The FBI is now working with ISPs to provide notice of the operation to users of SOHO routers covered by the court’s authorization.

Operation Masquerade involved several agencies, including the Philadelphia Field Offices and Cyber Division, the US Attorney’s Office for the Eastern District of Pennsylvania and the National Security Division’s National Security Cyber.

It also benefited from the collaboration of several private-sector partners, including Lumen’s Black Lotus Labs, Microsoft Threat Intelligence and the MIT Lincoln Laboratory.

Brett Leatherman, Assistant Director of FBI’s Cyber Division, commented: “GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn't enough.”

John A. Eisenberg, Assistant Attorney General for National Security, called the Russian campaign “a serious and persistent threat” and said his department will “continue to use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our nation’s networks.”

SOHO Router Users Urged to Remediate the Threat

The DoJ urged users who believe they have a compromised router to contact their local FBI field office or file a report with the FBI’s Internet Crime Complaint Center (IC3).

They are also advised to take the following steps:

• Replace outdated routers: check if your router is on the manufacturer’s end-of-life or end-of-support list and upgrade if needed
• Update router firmware: download and install the latest firmware from the official router brand’s website
• Verify DNS settings: ensure your router’s DNS resolvers are legitimate
• Secure remote access: disable or restrict remote management features unless absolutely necessary
• Follow official guidance: review TP-Link’s (or your router brand’s) security documentation for proper setup

“We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us,” said FBI’s Leatherman.