DOJ and FBI Dismantle Russian GRU DNS Hijacking Network on Thousands of U.S. Routers

The FBI called it "Operation Masquerade," and the name was fitting. Russia's Main Intelligence Directorate had been silently redirecting internet traffic through thousands of compromised American routers, impersonating services like Microsoft Outlook Web Access to harvest passwords, authentication tokens, and emails from targets who had no indication their own hardware had been turned into a surveillance tool.

The Justice Department and FBI announced on April 7 that a court-authorized technical operation had severed control of the network, which was run by GRU Military Unit 26165. The operation targeted small-office and home-office routers, thousands of which had been compromised through known vulnerabilities, with TP-Link devices specifically identified in the Justice Department's account of the campaign.

The GRU's method was methodical. After exploiting router vulnerabilities and stealing device credentials, Unit 26165 operatives manipulated DNS settings to redirect internet traffic to resolvers under their control. That gave them the ability to inspect and filter traffic at the network edge, identify high-value targets from what was initially broad and indiscriminate surveillance, and then serve fraudulent DNS records to a selected subset of victims. For those targets, traffic to legitimate services was quietly intercepted, credentials captured, and communications exposed.

FBI Cyber Division Assistant Director Brett Leatherman said the operation "demonstrates the FBI's commitment to identifying, exposing and disrupting Russian efforts to compromise American devices and target critical infrastructure." Assistant Attorney General for National Security John A. Eisenberg characterized the GRU's approach as a persistent threat, saying the unit's "predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat." U.S. Attorney David Metcalf of the Eastern District of Pennsylvania was more direct: "Russian military intelligence once again hijacked Americans' hardware to commandeer critical data."

The DOJ's action disrupted the U.S. portion of the infrastructure and severed GRU-controlled resolvers that had enabled the campaign, though it did not claim to remediate every compromised device globally. The operation involved coordination with international partners targeting routers in the United States and abroad, combining court orders, technical measures such as sinkholing malicious resolvers, and cross-border cooperation to sever adversary control channels while limiting collateral disruption.

Security experts have long flagged consumer router DNS hijacking as an attractive espionage vector precisely because it allows persistent interception at the network edge without directly compromising target endpoint devices, making detection significantly harder. The technique can also undermine TLS trust, tricking devices into revealing credentials they would otherwise protect.

The Justice Department urged owners of small-office and home-office routers to update firmware, change default credentials, and follow vendor security advisories. The bulletin reinforces prior U.S. agency warnings about Unit 26165, which has been linked to a long-running series of cyber espionage campaigns. The episode is likely to sharpen policy discussions around supply-chain security for consumer networking hardware and may accelerate international coordination on defending shared DNS and routing infrastructure against state-sponsored exploitation.