Justice Department Conducts Court-Authorized Disruption of DNS Hijacking Network Controlled by a Russian Military Intelligence Unit

Key Takeaways

• The Department of Justice and the FBI disrupted a DNS hijacking campaign run by Russia’s GRU Military Unit 26165.
• The court-authorized action targeted compromised TP-Link SOHO routers inside the United States.
• Router owners are being urged to update firmware, verify DNS settings, and replace unsupported hardware.

A major federal intervention unfolded this week as the Department of Justice and the FBI revealed a court-authorized operation that cut off Russian military intelligence from a network of compromised small office and home office routers inside the United States. The focus of the action was GRU Military Unit 26165, a group also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. For security teams that track nation state behavior, those aliases signal years of persistent and aggressive cyber activity.

This was not a theoretical threat confined to obscure networks. According to the Justice Department, thousands of TP-Link routers worldwide had been compromised since at least 2024 after GRU actors exploited known vulnerabilities and stole credentials. Once inside, the attackers reconfigured DNS settings to quietly redirect traffic to servers they controlled. The routers then became part of the attackers’ infrastructure, enabling targeted DNS hijacking against military, government, and critical infrastructure users around the world.

The FBI’s disruption effort, known as Operation Masquerade, neutralized the U.S. portion of the network. The agency took action against the affected TP-Link hardware to stop the malicious activity, forcing an end to the unauthorized access. This operation targeted a granular and consumer-adjacent device class, highlighting the growing risk unmanaged edge devices pose to national security.

What stood out in public statements from officials was the fact that GRU actors were initially indiscriminate. Only later did they filter DNS traffic to find queries worth intercepting. For select targets, the malicious DNS resolvers supplied fraudulent records impersonating legitimate services such as Microsoft Outlook Web Access. That allowed Actor-in-the-Middle attacks on encrypted traffic, extracting authentication tokens, passwords, emails, and other sensitive data from devices sharing the compromised routers.

The response from senior officials underscored the persistent nature of the threat. Assistant Attorney General for National Security John A. Eisenberg described the GRU’s behavior as predatory and emphasized that the National Security Division would continue using every available tool to track and expel hostile foreign actors. Meanwhile, U.S. Attorney David Metcalf for the Eastern District of Pennsylvania noted that Russian military intelligence had once again co-opted American hardware to commandeer data, and that the government intended to respond aggressively.

Not every part of the announcement focused on enforcement. Some of it read as a reminder of shared responsibility across the broader technology ecosystem. Brett Leatherman, Assistant Director of the FBI’s Cyber Division, pointed to the scale of the threat and said that sounding the alarm was insufficient on its own. The FBI operation demonstrated a commitment to identifying, exposing, and disrupting these efforts, while urging owners to follow remediation guidance. The rise of inexpensive, long-lived routers has created a sprawling, lightly managed infrastructure layer that nation state actors increasingly exploit.

From an operational standpoint, the effort was supported by the FBI Cyber Division, the U.S. Attorney’s Office for the Eastern District of Pennsylvania, and the National Security Division. Federal agencies have shown an increasing willingness to directly target and neutralize infrastructure used by sophisticated state actors, stepping in where consumer hardware is left unmanaged.

Router owners, particularly organizations that rely on SOHO devices for remote work or branch connectivity, now have a task list. Replace hardware that has reached end of life or end of support. Update firmware. Verify DNS resolvers. Review firewall rules to ensure remote management services are not unnecessarily exposed. It sounds basic, but these controls continue to be the weak links exploited by state sponsored actors.

One lingering question is how many compromised devices remain outside the United States. The government’s action focused on domestic infrastructure because that is where its authority lies. International partners may conduct their own remediations, or they may not. For now, the U.S. portion of the network that enabled this hijacking campaign has been neutralized. What happens next will depend on whether consumers and businesses follow the warnings that have come with it, and whether adversaries attempt to rebuild the network with new tactics.