Your home router may have been a Russian spy tool for the past two years β and youβd have had no idea.
On April 7, 2026, the U.S. Department of Justice announced Operation Masquerade: a court-authorized technical operation that remotely accessed thousands of compromised small office/home office (SOHO) routers across the United States and reversed damage caused by Russian military intelligence. The target was a unit within Russiaβs Main Intelligence Directorate (GRU), Military Unit 26165 β better known to the cybersecurity world as APT28, Fancy Bear, or Forest Blizzard.
The primary victim device? The TP-Link WR841N, one of the most widely sold budget routers in the world.
What APT28 Actually Did
The attack was elegant in its simplicity. Rather than deploying complex malware on target computers, the GRU chose to compromise the infrastructure those computers depend on: the home router that handles every DNS lookup they make.
The DNS Hijacking Playbook
- Credential theft: GRU actors exploited known vulnerabilities in TP-Link routers (primarily unpatched firmware and default credentials) to gain administrative access.
- DNS manipulation: Once inside, they changed the routerβs DNS resolver settings to point to GRU-controlled servers instead of the userβs ISPβs legitimate DNS servers.
- Passive interception: Every device on the network β phones, laptops, smart TVs, IoT devices β now sent DNS queries to Moscow-controlled infrastructure. The GRU servers would forward most requests normally to avoid detection, but selectively intercept or log traffic to targets of intelligence interest.
- Credential harvesting: Because many authentication systems transmit credentials before TLS negotiation completes, or because users accessed unencrypted services, the GRU harvested passwords, authentication tokens, emails, and other sensitive data from devices on the compromised networks.
The operation had been running since at least 2024. Thousands of routers were compromised. Victims included individuals in the military, government, and critical infrastructure sectors β but because the GRU targeted routers at home addresses, many victims were attacked through their personal home networks rather than employer systems.
How the FBI Responded
The DOJ obtained court authorization to conduct what it called a βdomestic operationβ β remotely accessing compromised routers in the United States and taking four specific actions:
| FBI Action | Purpose |
|---|---|
| Evidence collection | Document GRU actorsβ DNS manipulation activity |
| DNS reset | Remove GRU resolvers, force routers to obtain legitimate DNS from ISPs |
| Access revocation | Prevent GRU from re-exploiting the original unauthorized access vector |
| Integrity preservation | No legitimate user content was accessed or modified |
Critically, the FBI did not install persistent software or make permanent changes. Any modification can be reversed by a factory reset using the routerβs physical hardware button.
The NCSC (UK), along with allied intelligence agencies, released a parallel advisory the same day confirming the scope of the campaign and APT28βs methods.
Why Home Routers Are a Top Espionage Target
The GRUβs focus on consumer routers rather than enterprise infrastructure isnβt accidental. Home routers offer a unique combination of high-value access and near-zero security posture:
High-value access:
- Government and military employees working from home route sensitive communications through them
- Contractors, journalists, NGO workers, and researchers with intelligence value live at residential addresses
- Personal devices carry authentication tokens for work systems, financial accounts, and private communications
Near-zero security:
- Most consumers never update router firmware
- Default credentials remain unchanged on millions of deployed units
- No security software runs on the router itself
- Compromises are entirely invisible to endpoint security tools (antivirus, EDR)
- Average consumer never inspects DNS settings
Long dwell time:
- Routers are replaced infrequently β the average home router is 4β5 years old
- A compromised router can passively collect data for years without detection
Am I Affected? How to Check
The FBIβs remediation operation targeted routers in the United States. If youβre outside the US, or if your router was compromised after the operation, you may still be vulnerable.
Check Your Current DNS Settings
On Windows:
ipconfig /all
Look for βDNS Serversβ under your active adapter. These should match your ISPβs DNS servers or known public resolvers (Google: 8.8.8.8 / 8.8.4.4, Cloudflare: 1.1.1.1 / 1.0.0.1).
On Mac/Linux:
cat /etc/resolv.conf
scutil --dns
On your router directly: Log into your router admin panel (typically 192.168.0.1 or 192.168.1.1) and check the WAN DNS settings. Compare against your ISPβs documented DNS server addresses.
Warning Signs of DNS Hijacking
- DNS servers you donβt recognize and didnβt configure
- Websites occasionally redirecting to login prompts you donβt recognize
- SSL certificate warnings on sites you use regularly
- Slower-than-normal DNS resolution
What To Do Right Now
1. Factory reset your router. Even if you believe youβre unaffected, the GRU campaign ran for two years β and there are other threat actors using similar techniques. A factory reset clears any configuration-level compromise.
2. Update your firmware immediately. TP-Link and other manufacturers have released patches for the vulnerabilities exploited. Check your router manufacturerβs site for the latest firmware. On most routers: Admin Panel β Advanced β Firmware Update.
3. Change your admin password. The default credential on most routers is publicly documented. Change it to something long, unique, and stored in a password manager.
4. Disable remote management. Unless you specifically need to access your router from outside your home network, disable WAN-side remote access. On most routers: Advanced β Administration β Remote Management β Disable.
5. Consider a DNS-over-HTTPS resolver. Configure your router or devices to use encrypted DNS (DoH) through providers like Cloudflare (1.1.1.1) or NextDNS. Even if an attacker changes your DNS server, DoH connections are encrypted and harder to silently intercept.
6. Enable alerts. Some routers support email/push alerts on config changes. Enable them so youβre notified if DNS settings are modified.
The Bigger Picture: State Actors Are Targeting Your Home
Operation Masquerade follows a now-familiar pattern. In 2024, Volt Typhoon (China) pre-positioned in SOHO routers for infrastructure attacks. Sandworm (also GRU) targeted Polish power grid OT systems in December 2025. Salt Typhoon (China) compromised US telecom infrastructure for years. The FCC banned new foreign-manufactured routers in March 2026 in response to these campaigns.
The common thread: state-level threat actors have concluded that consumer-grade home networking equipment is the easiest, longest-lasting, and most invisible foothold available to them. These devices sit at the intersection of personal and professional life, are never monitored, and are replaced rarely.
Your router isnβt just a convenience device. Itβs the gateway through which everything in your digital life passes. Treat it accordingly.
