The US Federal Bureau of Investigation (FBI) remotely patched thousands of privately owned home and small office routers without owners' prior knowledge, using court-authorised commands to evict Russian military intelligence which had been quietly harvesting passwords and authentication tokens from the same devices.
Announced by the US Department of Justice (DoJ) and FBI, North American law enforcement obtained court permission to send already compromised routers specific commands as part of Operation Masquerade.
The commands were sent to routers in the US, and collected evidence of activity on them by Russia's military intelligence agency GRU.
GRU had exploited weaknesses and vulnerabilities in the routers to change the domain name system (DNS) resolvers used in the devices to malicious ones, which in turn redirected user traffic to sites that could capture their data such as log-in credentials.
Russian intelligence operatives changed the settings for the industry standard dynamic host configuration protocol (DHCP) insert GRU's malicious DNS resolver information into home and small office routers, via an authentication bypass bug.
The devices in question were made by China-founded but US headquartered TP-Link, and Latvia's Mikrotik.
The FBI used the same remote access method that GRU had done, and removed the malicious Russian resolvers and replaced with legitimate ones run by users' internet service providers.
Separately, United Kingdom's National Cyber Security Centre (NCSC) said in its technical analysis that GRU had been configuring virtual private servers (VPS) to operate as malicious DNS resolvers.
NCSC also listed a range of TP-Link wireless routers and access points that were exploited by GRU.
Prior to the command transmission, government law enforcement extensively tested the operation on firmware and hardware for affected TP-Link routers, and confirmed it did not impact the routers' normal functionality or collect the legitimate users' content information.
It is possible to revert any changes the FBI made by factory resetting routers.
FBI's remote-patching technique has been used before, with a similar approach being deployed in 2021 to remove web shells from compromised Microsoft Exchange servers.
A Fancy Bear in your router
DoJ attributed the Russian intrusions to a threat actor tracked by cyber security agencies and companies as Fancy Bear, Forest Blizzard, Sofacy and Advanced Persistent Threat (APT) 28.
The GRU unit is said to have exploited vulnerabilities in TP-Link routers worldwide since at least 2024, the DoJ said, accessing the devices to alter DNS settings to redirect traffic to Russian controlled servers.
While the initial attacks were indiscriminate, GRU later developed automated filtering to work out DNS requests of interest and potential interception.
For certain targets, GRU's DNS resolvers served fraudulent DNS records that mimicked legitimate, well-known services such as Microsoft Outlook Web Access, for the purpose of attacks on users.
Security vendor Lumen's threat research division Black Lotus Labs, which with Microsoft's Threat Intelligence Group provided technical information on the attacks, named the campaign FrostArmada.
Lumen reported that the campaign started in a limited fashion in May last year, with more widespread hacking with DNS redirection from early August 2025.
By December 2025, over 18,000 routers connected to the internet had been hit.
Microsoft's Threat Intelligence team tracks Fancy Bear as Storm-2754, and identified more than 200 organisations and 5000 consumer devices being compromised.
Overall, the campaign reached around 120 countries, and Operation Masquerade was conducted by the FBI, the US National Security Agency (NSA) and international security agency partners.
They were mostly end-of-life and unsupported devices, and unpatched ones, with the DoJ advising users to replce such routers.
Applying available firmware updates, verifying DNS resolver settings, changing the default, factory-set credentials in the device as well as disabling remote management interfaces exposed to the Internet are other protective measures recommended by security agencies.
The brand at the centre of the GRU compromises, TP-Link, dominates the residential router market in many countries, including the United States.
Last month, the US Federal Communications Commission announced that it would ban the import of all new foreign-made consumer routers over security concerns.
In response to the ban, TP-Link said it would vigorously defend its reputation, and reiterated that the Chinese government has no ownership in any shape, or control, of the company, its products and user data.
.jpg&h=140&w=231&c=1&s=0)
_(37).jpg&h=140&w=231&c=1&s=0)
Melbourne Cloud & Datacenter Convention 2026
iTnews Executive Retreat - Data & AI Edition
The 2026 iAwards
_(1).jpg&h=140&w=231&c=1&s=0)
