DOJ Disrupts GRU DNS Hijacking Network Compromising Thousands of TP-Link Routers Across 23 U.S. States
The Department of Justice announced Operation Masquerade, a court-authorized takedown of a Russian GRU Unit 26165 (APT28) DNS hijacking network that compromised thousands of TP-Link routers across 23 states since 2024.
The U.S. Department of Justice (DOJ) announced on April 10, 2026, the disruption of a sophisticated DNS hijacking network operated by Russia's GRU Unit 26165 (APT28) that had compromised thousands of TP-Link small office and home office TP-Link routers across more than 23 U.S. states since at least 2024. The operation, dubbed Operation Masquerade, was conducted under court supervision and involved the FBI deploying commands to reset compromised routers and block attacker access.
According to the DOJ, APT28 operators exploited known vulnerabilities in TP-Link routers to steal credentials, gain unauthorized access to router management interfaces, and silently rewrite DNS settings. This redirected DNS queries to GRU-controlled resolvers instead of legitimate ISP-provided resolvers. The actors then applied automated filtering on the hijacked traffic to identify DNS requests of intelligence interest, particularly targeting users in government, military, and critical infrastructure sectors.
For selected high-value targets, the GRU-controlled resolvers returned forged DNS records for specific domains, allowing the attackers to insert their infrastructure into encrypted sessions. This enabled the collection of passwords, authentication tokens, emails, and other sensitive data from devices on the same networks as the compromised routers. The operation represents a significant escalation in Russian state-sponsored cyber espionage targeting U.S. infrastructure.
Under court supervision, the FBI developed and deployed a series of commands to the compromised routers. The operation captured evidence of GRU activity, reset the DNS configuration so devices would obtain legitimate resolvers from their ISPs, and blocked the original path used by the actors for unauthorized access. The FBI first tested the command set on the same TP-Link router models and firmware in a controlled environment, ensuring normal routing functions remained intact and that owners could reverse changes via factory reset or web management interface.
The DOJ is now working with U.S. internet service providers to notify customers whose routers fell within the scope of the warrant. The operation highlights the persistent threat posed by state-sponsored actors targeting consumer-grade networking equipment to establish covert espionage infrastructure. This campaign mirrors previous APT28 operations that compromised MikroTik routers for similar purposes, demonstrating the group's continued reliance on router-level compromise for intelligence gathering.
The disruption of this network is a significant victory for U.S. law enforcement and intelligence agencies, but it also underscores the vulnerability of small office and home office routers to state-sponsored exploitation. Users are advised to ensure their TP-Link routers are running the latest firmware, change default credentials, and monitor for any unusual DNS behavior. The operation serves as a reminder that even consumer-grade networking equipment can become a vector for sophisticated nation-state espionage campaigns.