Feds Dismantle Massive Russian GRU Espionage Network Targeting Routers

Authorities have successfully disrupted a sprawling espionage network operated by a Russian state-sponsored threat group, Forest Blizzard (also known as APT28/Fancy Bear), which compromised over 18,000 routers in more than 120 countries. According to Cyber Threat Intelligence, this operation, dubbed Operation Masquerade, involved hijacking network traffic and compromising DNS settings to steal credentials and tokens, primarily targeting Microsoft accounts and other services. The Justice Department attributes Forest Blizzard to Russia’s GRU Military Unit 26165.

The scale of the operation was significant, impacting at least 5,000 consumer devices and compromising systems within over 200 organizations. Cyber Threat Intelligence detailed how the group exploited known vulnerabilities in TP-Link routers to establish a broad foothold for intelligence gathering. This sophisticated campaign demonstrates a persistent threat from nation-state actors leveraging readily available infrastructure for malicious purposes.

The coordinated takedown, led by the FBI with support from various federal agencies and private sector partners like Lumen’s Black Lotus Labs and Microsoft Threat Intelligence, involved executing commands to reset compromised DNS settings. This action aimed to sever Forest Blizzard’s access and prevent further exploitation of the hijacked devices, effectively neutralizing the immediate threat posed by this specific network.