Russian Military Hackers Just Hijacked 18,000 Routers. Is Yours One of Them?

On April 7th, over 18,000 home and small business routers in 120 countries were penetrated by a Russian military intelligence operation, which the FBI, NSA, Department of Justice, and law enforcement partners from 15 nations declared they had stopped on April 7. Codenamed Operation Masquerade, the operation targeted infrastructure under the control of APT28, a Russian GRU hacking outfit that has been operational for more than 20 years. They may also go by the titles Forest Blizzard or Fancy Bear.

Malware in the conventional sense was not installed by the attackers. They altered the DNS settings of the devices by taking use of known flaws in consumer-grade TP-Link routers. They were able to covertly reroute internet traffic from all of the network’s devices through servers under their control thanks to that one modification. They then collected emails, passwords, login tokens, and other private information. The end user did not need to interact with the assault. The majority of victims were unaware that something was amiss.

Microsoft found that the campaign affected 5,000 individual devices and more than 200 organizations. Governmental organizations, military personnel, defense contractors, operators of vital infrastructure, and telecom companies in North America, Europe, Africa, Central America, and Southeast Asia were among the targets. After casting a broad net, the GRU filtered for intelligence targets with high value.

In order to prevent the attackers from regaining access, the FBI responded by issuing court-authorized commands to hacked routers located within the United States to reset their DNS settings. The operation did not gather user data or interfere with regular router operation. However, the fact that the FBI had to remotely intervene in devices sitting in American homes and offices should tell you something about the scale of the problem.

Why Routers Are the Weakest Link

Home routers have been attacked by nation-states before, and this won’t be the last. A Chinese botnet that had taken control of hundreds of similar devices was stopped by the FBI in 2024. It was the Cyclops Blink botnet in 2022. VPNFilter in 2018 came before that. Because routers are the most overlooked component of security infrastructure in the majority of households and companies, the trend continues to recur.

This continues to occur for several reasons:

Firmware updates are manual and invisible. Most routers don’t update automatically, in contrast to your laptop or phone. Most users have never seen the admin panel they must log into in order to update. Automatic updates are rarely released by manufacturers, and many older devices no longer receive any updates at all.

Default credentials are everywhere. How many users have altered the default admin password on their router? Every study that has ever been done on the subject has found that the response is far from sufficient.  Many routers still ship with credentials like “admin/admin” or publicly documented defaults that attackers can look up in seconds.

Remote management is often enabled by default. Anybody can try to access the admin panel from anywhere in the globe because some routers come with remote administration interfaces that are open to the internet. The majority of users are unaware that this feature even exists, much less that it need to be disabled.

Nobody monitors router activity. Laptops and servers are safeguarded by endpoint security technologies. Inboxes are protected by email security measures. However, very few people are keeping an eye on what the router is doing. There was no alarm when APT28 altered DNS settings on hacked routers. All of the network’s devices were silently affected by the modification.

End-of-life devices stay in service for years. Unlike phones, which are replaced every few years, routers are not. Hardware that was long since discontinued by the manufacturer is still in use in many homes and businesses. These devices continue to be linked to the internet and trusted to manage all network traffic, but they will never get another security patch.

The Remote Work Problem

This issue has significantly worsened due to the transition to remote and hybrid work. Prior to 2020, corporate networks with specialized firewalls, intrusion detection systems, and IT professionals keeping an eye on traffic handled the majority of sensitive business data. Nowadays, a large amount of that same data passes through consumer-grade routers that staff members purchased from a big-box retailer and mindlessly plugged in.

This is particularly mentioned in the NSA’s advice, which advises companies that use telework to examine their policies for employee access to sensitive data, including the usage of VPNs and hardened application setups. The reason for this suggestion is that the agency recognizes what this attack showed: when a home router is compromised, the attacker does not simply see the router. They perceive everything that is related to it. The fraudulent DNS settings are passed down to any device connected to that Wi-Fi network. Every email, file transfer, and login from every device in the house passes through infrastructure under the attacker’s control.

This implies that your security perimeter now encompasses each employee’s home network if your company employs remote workers. Additionally, you typically have little visibility into what’s going on there.

What You Should Do

The good news is that self-defense measures are simple. Unfortunately, the majority of individuals and institutions have not adopted them. Here are our recommendations based on the FBI, NSA, and CISA guidelines:

1. Change your router’s admin credentials. If your router’s login is still set to the factory default, change it immediately. Use a strong, unique password. This is the single most impactful step you can take.
2. Update your router’s firmware. Log into your router’s admin panel and check for available updates. If you do not know how, your manufacturer’s website will have instructions. If your router is no longer receiving updates from the manufacturer, it is time to replace it.
3. Disable remote management. Unless you have a specific reason to manage your router from outside your network, turn this feature off. It is one of the primary ways attackers gain initial access.
4. Replace end-of-life hardware. If your router is old enough that the manufacturer has stopped issuing security updates, it is a liability. No amount of configuration hardening can protect a device with known, unpatched vulnerabilities.
5. Pay attention to certificate warnings. The NSA specifically flagged this. If your browser or email client starts showing certificate warnings that it did not show before, do not ignore them. A DNS hijacking attack can trigger these warnings because traffic is being routed through an untrusted server.
6. Review your remote work policies. If your organization has employees working from home, you need to address the security of their home networks. At a minimum, require VPN usage for accessing sensitive systems. Better yet, provide guidance or support for employees to secure their home routers.

The Bigger Picture

Since 2018, the FBI has now carried out four significant operations to combat nation-state router breaches. Every time, the assailants broadened their scope and changed their strategies. Unmanaged, unmonitored, unpatched consumer networking equipment at the edge of networks handling sensitive data was the underlying vulnerability in each case.

These hazards are not hypothetical. Before this operation was stopped, Russian military intelligence secretly collected credentials from infected routers for at least two years. Over 200 organizations and 120 countries were impacted by the program. And this is the only one that we are aware of.

At Guard Street, we collaborate with companies to find and fill precisely these kinds of gaps. One of the most neglected aspects of most security programs is router and edge device protection, and events like Operation Masquerade serve as a reminder that the dangers are genuine, active, and aimed at companies of all sizes.

The FBI advises getting in touch with your local field office or submitting a report to the Internet Crime Complaint Center at ic3.gov if you think your router has been compromised.

Guard Street provides cybersecurity advisory, threat intelligence, and strategic risk management for organizations navigating an evolving threat landscape. To learn how we can help your organization assess and strengthen its security posture, visit guardstreet.com.