A large-scale network of internet routers compromised by Russian hacking group APT28 to harvest credentials was taken down in the US. The US Department of Justice announced on 7 April that it had teamed up with the FBI to neutralise the US portion of the DNS hijacking network, which spanned over 23 US states.
The operation, dubbed “Operation Masquerade” and led by FBI Boston after court authorization, involved sending commands to compromised routers to collect evidence, reset DNS settings and force devices to obtain legitimate resolvers from their ISPs. The effort followed campaigns dating back to 2024 in which APT28 exploited vulnerabilities in SOHO routers, particularly TP-Link devices, to redirect traffic through attacker-controlled DNS servers.
UK and US agencies attributed APT28 to Russia’s GRU Military Unit 26165, with DoJ and partners urging users of affected routers to remediate and follow official guidance. The DoJ noted that remediation steps could be reversed by legitimate users via factory resets or web management pages.