We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience, personalize content, customize advertisements, and analyze website traffic. For these reasons, we may share your site usage data with our social media, advertising, and analytics partners. By clicking ”Accept,” you agree to our website's cookie use as described in our Cookie Policy. You can change your cookie settings at any time by clicking “Preferences.”

TechDogs-"Russian GRU-Linked Hackers Hijacked Home Routers To Steal Passwords And Tokens"

Cyber Security

Russian GRU-Linked Hackers Hijacked Home Routers To Steal Passwords And Tokens

By Amisha Dash

Updated on Wed, Apr 8, 2026

Overall Rating

Russian state-linked hackers used compromised home and small office routers as covert infrastructure for a credential theft and cyberespionage campaign, prompting U.S. and allied authorities to issue fresh warnings and launch a court-authorized disruption operation on April 7, 2026.

TL;DR

  • U.S. authorities said GRU Unit 26165, also tracked as APT28, Fancy Bear, and Forest Blizzard, compromised thousands of SOHO routers and used them for DNS hijacking.
  • The attackers changed router DHCP and DNS settings so connected laptops and phones would send traffic through actor-controlled servers.
  • Microsoft said it identified more than 200 organizations and 5,000 consumer devices affected by the malicious DNS infrastructure.
  • Lumen said the operation reached at least 120 countries at one stage and primarily targeted government agencies, law enforcement, and third-party email providers.
 

What Happened?

The campaign has been attributed by U.S. and UK authorities to Russia’s GRU Military Unit 26165, the same unit widely tracked as APT28, Fancy Bear, and Forest Blizzard. On April 7, the U.S. Justice Department and FBI said they had neutralized the U.S. portion of a network of compromised small office and home office routers that had been used to support DNS hijacking operations against targets in the military, government, and critical infrastructure sectors. Reuters reported the disruption was carried out under the name Operation Masquerade.

According to the DOJ and the FBI-led IC3 alert, the actors exploited known vulnerabilities in routers, specifically including TP-Link devices affected by CVE-2023-50224. Once inside, they changed DHCP and DNS settings so devices on the same network would inherit actor-controlled resolvers. That gave the attackers visibility into network lookups and, for selected targets, allowed them to return fake DNS responses for services including Microsoft Outlook Web Access. If a victim clicked through a certificate warning, the operation could shift into an adversary-in-the-middle attack capable of exposing passwords, authentication tokens, emails, and other sensitive traffic.

Researchers said the broader campaign affected unpatched TP-Link and MikroTik routers, and Microsoft said the activity had been underway since at least August 2025. The company said it had identified over 200 organizations and 5,000 consumer devices tied to the malicious DNS infrastructure. Lumen’s Black Lotus Labs added more texture to the scale, saying it observed more than 18,000 unique IPs from at least 120 countries communicating with the actor’s infrastructure at the campaign’s peak in December 2025.

The victim profile was not random at the intelligence stage. Lumen said the operation primarily targeted ministries of foreign affairs, law enforcement bodies, and third-party email providers. Germany’s domestic intelligence agency separately said several thousand routers were hit globally, including around 30 in Germany. Microsoft also said the activity affected sectors such as government, IT, telecommunications, and energy.

Topics For More Insights

What Did Officials Say?

“Given the scale of this threat, sounding the alarm wasn't enough,” said Brett Leatherman, Assistant Director of the FBI’s Cyber Division, as the Justice Department announced the U.S. disruption effort.

Authorities also warned that the risk has not disappeared simply because part of the infrastructure was taken down. The FBI and its partners urged router owners to update firmware, replace end-of-support hardware, change default usernames and passwords, disable internet-exposed remote management, and treat certificate warnings seriously. For organizations with remote workers, agencies also recommended stronger access policies, VPN use where appropriate, and hardened device configurations.

The case is another reminder that overlooked edge devices can become a powerful espionage layer. Instead of attacking a laptop or cloud account first, the operators moved one step earlier in the chain and used the router itself to redirect, inspect, and selectively capture valuable traffic.

First published on Wed, Apr 8, 2026

Amisha Dash

Amisha Dash

Senior Tech Journalist TechDogs

Amisha Dash is a young writer with a growing focus on AI-driven content and digital storytelling. She enjoys breaking down complex ideas into clear, engaging narratives across articles, social media posts, and the latest tech news. Driven by curiosity and creativity, Amisha explores how AI is shaping the way people consume and interact with content. She brings a fresh, experimental approach to her writing, creating stories that feel relevant, accessible, and engaging for today’s readers.

Enjoyed what you've read so far? Great news - there's more to explore!

Stay up to date with the latest news, a vast collection of tech articles including introductory guides, product reviews, trends and more, thought-provoking interviews, hottest AI blogs and entertaining tech memes.

Plus, get access to branded insights such as informative white papers, intriguing case studies, in-depth reports, enlightening videos and exciting events and webinars from industry-leading global brands.

Dive into TechDogs' treasure trove today and Know Your World of technology!

Disclaimer - Reference to any specific product, software or entity does not constitute an endorsement or recommendation by TechDogs nor should any data or content published be relied upon. The views expressed by TechDogs' members and guests are their own and their appearance on our site does not imply an endorsement of them or any entity they represent. Views and opinions expressed by TechDogs' Authors are those of the Authors and do not necessarily reflect the view of TechDogs or any of its officials. While we aim to provide valuable and helpful information, some content on TechDogs' site may not have been thoroughly reviewed for every detail or aspect. We encourage users to verify any information independently where necessary.

Tags:

Cyber AttackCyber ThreatInternet SecurityRussian GRU APT28 Router DNS Hijacking Credential Theft Forest Blizzard Home Routers

Join The Discussion

Trending TD NewsDesk

Join Our Newsletter

Get weekly news, engaging articles, and career tips-all free!

By subscribing to our newsletter, you're cool with our terms and conditions and agree to our Privacy Policy.

Home

Hot Topic: AI

News

Articles

Branded Insights

  • Dark
  • Light