Operation Masquerade: How US Authorities Neutralized a Massive Russian DNS Hijacking Campaign

In a decisive counter-cyber operation, United States law enforcement has successfully dismantled a significant portion of a sophisticated DNS hijacking network controlled by Russian military intelligence hackers. This campaign, attributed to the notorious group APT28, had compromised thousands of internet routers across more than 23 states, turning them into tools for credential theft and espionage.

The Anatomy of a Router Hijack

For months, the threat actors, linked to Russia’s GRU Military Unit 26165, exploited vulnerabilities in common small office and home office (SOHO) routers. Building on this, they specifically targeted devices from manufacturers like TP-Link. Their method was insidious: by gaining control, they could redirect a user’s internet traffic through malicious servers. This process, known as DNS hijacking, allowed them to intercept login credentials and sensitive data from targeted organizations without the victims’ knowledge.

A Coordinated Transatlantic Response

Therefore, the discovery of this campaign triggered a coordinated response. On April 7, the US Department of Justice and the FBI announced their operation, dubbed “Operation Masquerade,” simultaneously with detailed advisories from the UK’s National Cyber Security Centre and Microsoft Threat Intelligence. This rare public alignment underscored the scale and seriousness of the threat posed by the DNS hijacking network.

Operation Masquerade: A Surgical Takedown

Authorized by a federal court, the FBI’s operation was both technical and precise. Consequently, agents developed and deployed a series of commands to the compromised routers located within the United States. These commands served a triple purpose: to gather forensic evidence on APT28’s activities, to reset the malicious DNS settings, and to close the original vulnerability that allowed the hackers access.

In addition, the operation was tested extensively to ensure it did not damage the routers or collect data from legitimate users. As a result, the fix was designed to be non-destructive. “The court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets,” the Justice Department clarified. This approach balanced national security needs with protecting citizens’ property.

Why SOHO Routers Are a Prime Target

This incident highlights a critical vulnerability in global cyber defenses: the often-overlooked SOHO router. These devices are attractive targets for several reasons. First, they are numerous and frequently lack robust security updates from manufacturers. Second, many users and small businesses set them up and forget them, rarely applying firmware patches. Third, compromising a router provides a powerful vantage point to monitor all traffic flowing through a network, making it an ideal tool for espionage.

Brett Leatherman, Assistant Director of the FBI’s Cyber Division, framed the threat starkly: “GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough.” This statement explains why an active, technical counter-operation was deemed necessary.

Essential Steps to Secure Your Router

In the wake of this takedown, cybersecurity agencies are urging all router owners to take proactive steps. The goal is to prevent your device from becoming part of the next DNS hijacking network. Here is a critical checklist for remediation and protection:

1. Replace Outdated Hardware: Check if your router model is on the manufacturer’s end-of-support list. Older devices no longer receive security updates, leaving them perpetually vulnerable.

2. Update Firmware Immediately: Always download and install the latest firmware directly from the official manufacturer’s website. Do not ignore update notifications.

3. Verify and Secure DNS Settings: Log into your router’s admin panel and ensure the DNS server settings point to legitimate providers like your ISP or a trusted service like Cloudflare or Google DNS. This is a key defense against hijacking.

4. Disable Remote Management: Unless you have a specific, essential need, turn off features that allow you to manage your router from outside your home network. This closes a common attack vector.

5. Follow Official Hardening Guides: Consult the security documentation from your router’s brand (e.g., TP-Link) for specific instructions on changing default passwords and enabling firewalls.

If you suspect your router was compromised, the DOJ advises contacting your local FBI field office or filing a report with the Internet Crime Complaint Center (IC3). For more general guidance on securing your home network, you can read our internal guide on home cybersecurity basics.

A Persistent Threat and a Firm Response

This operation sends a clear message about the evolving nature of state-sponsored cyber threats. Adversaries are increasingly targeting the soft underbelly of network infrastructure—consumer-grade devices—to launch sophisticated attacks. John A. Eisenberg, Assistant Attorney General for National Security, labeled the Russian campaign “a serious and persistent threat,” vowing to “use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our nation’s networks.”

Ultimately, the dismantling of this DNS hijacking network is a significant victory for defensive cyber operations. However, it also serves as a powerful reminder. Cybersecurity is a shared responsibility. While government agencies can disrupt large-scale campaigns, individual users and businesses must secure their own digital gateways. As the FBI emphasized, defending our collective networks truly requires all of us. For a deeper look at how nation-state actors operate, explore our analysis on advanced persistent threat tactics.