A coordinated international operation has dismantled a Russian military intelligence network that turned ordinary office and home routers into espionage tools, intercepting encrypted communications from military personnel, government officials, and critical infrastructure workers across at least 120 countries.
The Security Service of Ukraine (SBU), working alongside the FBI, Polish counterintelligence, and EU law enforcement agencies, announced on April 7 the results of a joint cyber operation targeting Russian military intelligence activity across Ukraine and partner nations. Simultaneously, the US Department of Justice and FBI announced a court-authorised technical operation — dubbed “Operation Masquerade” — to neutralise the American portion of the same network.
The operation exposed one of the GRU’s most systematic intelligence-gathering methods to date: quietly hijacking the routers that sit in homes and small offices across the Western world, then using them as invisible wiretaps on their owners’ internet traffic.
The hacking unit behind the campaign is GRU Military Unit 26165, tracked by cybersecurity researchers under several names: APT28, Fancy Bear, Forest Blizzard, and Sednit. Since at least 2024, the group exploited known security vulnerabilities in small office and home office routers — known as SOHO devices — to gain unauthorised access and alter their settings.
The primary target was a specific vulnerability in TP-Link routers (CVE-2023-50224), which allowed attackers to extract password credentials through specially crafted requests without needing authentication. MikroTik routers were also compromised in a separate but related cluster of activity, according to the UK’s National Cyber Security Centre (NCSC).
Once inside a router, GRU operatives changed its DNS settings to redirect all internet traffic through servers under their control. DNS, or Domain Name System, functions as the internet’s address book, translating website names into the numerical addresses that route traffic to its destination. By replacing a router’s legitimate DNS server with a malicious one, the attackers positioned themselves between the user and every website or service they visited.
This technique, known as an adversary-in-the-middle (AitM) attack, allowed the GRU to intercept communications that would normally be protected by SSL and TLS encryption. According to the NCSC advisory published April 7, harvested material included passwords, OAuth authentication tokens, and email content. In several cases, the attackers served victims fake login pages mimicking Microsoft Outlook Web Access – capturing credentials as users typed them in, unaware anything was wrong.
Crucially, the compromise extended beyond the router itself. Connected devices on the same network — laptops, phones, tablets — automatically inherited the altered DNS settings, exposing their traffic as well.
Lumen’s Black Lotus Labs, which investigated the campaign alongside Microsoft and named it “FrostArmada”, reported that the operation began in a limited capacity around May 2025 before escalating sharply in August 2025. By December 2025, more than 18,000 unique IP addresses from at least 120 countries were communicating with APT28 infrastructure.
The GRU’s approach was deliberately broad at first. According to the FBI and IC3 advisory, the group compromised a wide pool of devices indiscriminately, then used an automated filtering system to identify targets of genuine intelligence value. Those who made it through the filter were subjected to active credential theft.
Priority targets included military and government personnel, employees of defence industry enterprises, and workers in critical infrastructure sectors. The SBU confirmed that among the primary targets in Ukraine were staff and servicemembers of state agencies, Ukrainian Defence Forces units, and defence industry companies.
Microsoft Threat Intelligence, as reported by The Hacker News, identified over 200 organisations and 5,000 consumer devices affected by the malicious DNS infrastructure. The company also documented AitM attacks against servers belonging to at least three government organisations in Africa that were not hosted on Microsoft infrastructure.
Germany’s domestic intelligence agency, the BfV, issued its own warning alongside the BND and FBI on April 7, confirming that around 30 routers in Germany had been compromised, with some breaches confirmed and affected devices replaced. The campaign focused on military, government, and critical infrastructure networks — consistent with APT28’s longstanding targeting of German institutions, including the 2015 hack of the Bundestag.
In Ukraine, the joint operation blocked more than 100 servers and removed hundreds of routers from GRU control, according to the SBU. Officials said the disruption significantly weakened Russian military intelligence’s reconnaissance capabilities and prevented the software-level destruction of compromised devices.
In the United States, Operation Masquerade, led by FBI Boston, reached routers across more than 23 states. The FBI, working with court authorisation, developed a series of remote commands to send to compromised devices. These commands collected evidence of GRU activity, reset DNS settings to remove the malicious resolvers, and blocked the attackers’ original means of re-entry. The operation was tested extensively alongside MIT Lincoln Laboratory to ensure it did not affect normal router functionality or access users’ private data.
The joint advisory was co-signed by intelligence and security agencies from 16 countries alongside the FBI and NSA: Canada, Czech Republic, Denmark, Estonia, Finland, Germany, Italy, Latvia, Lithuania, Norway, Poland, Portugal, Romania, Slovakia, Ukraine, and the United Kingdom.
The April 7 disclosures are the latest in a long series of attributions linking APT28 to infrastructure attacks across Europe. The NCSC has previously attributed to the group the 2015 cyberattacks against the German parliament, an attempted operation against the Organisation for the Prohibition of Chemical Weapons in 2018, and a campaign targeting Western logistics and technology companies supporting Ukraine’s defence supply chain.
The Register noted that similar router-based attacks on Cisco devices, monitored by the NCSC since 2021, resulted in APT28 deploying Jaguar Tooth malware to establish backdoors for follow-on operations. Microsoft warned that beyond credential theft, the same compromised infrastructure could be repurposed for DDoS attacks and malware deployment.
The SBU and its partners are urging all router owners to take immediate action. The recommended steps are: check the device model and current firmware version, install all available security updates, and replace the router if the manufacturer no longer provides support. After updating, users should change the router’s access password, disable remote management over the internet, and review settings for any suspicious configurations.
Internet service providers are asked to assist their customers in implementing these measures. Those who believe they may have been targeted can report suspicious activity to their national cybersecurity agency or file a complaint directly with the FBI at IC3.gov.
US Vice President JD Vance's visit to Budapest on April 7 to openly endorse Viktor…
Russia has threatened Latvia, Estonia, and Lithuania with retaliation over claims they deliberately opened their…
The indictment of two Ukrainian nationals in Bucharest over an alleged Russian-directed sabotage plot is…
A series of Ukrainian drone incidents in Finland has handed Russia a ready-made propaganda script,…
The request is notable because EU member states do not often publicly seek this kind…
A delegation from the Parliamentary Assembly of the Council of Europe (PACE) visited Budapest on…