Crime

Paul Davis: The Russians are coming to a computer near you

Paul Davis

Earlier this month, the National Security Agency (NSA) and other federal agencies co-sealed an FBI public service announcement, “Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information.”

The  public service announcement accompanied an announcement from U. S. Attorney David Metcalf in Philadelphia, the Department of Justice, and the FBI that a court-authorized technical operation to neutralize the U.S. portion of a network of small office/home office (SOHO) routers compromised by a unit within Russia’s Main Intelligence Directorate of the General Staff (GRU: Glavnoye Razvedyvatelnoe Upravlenis) Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

Having spent more than 37 years doing security work as a young sailor in the U.S. Navy and later as a Defense Department civilian, I’m well aware of the Russian GRU, which is essentially the same gang as the old Soviet GRU.

The GRU is the Russian military intelligence agency that operates worldwide alongside the Russian foreign intelligence agency the SVR, which is the old First Main Directorate of the old KGB. 

During my time in the Defense Department, I was trained to guard against the KGB (later the SVR) and the GRU. I often traveled to Washington D.C. to receive briefings from the FBI, CIA, DIA and NSA on the threat from the SVR/KGB and the GRU. 

The GRU, the military group that includes the Spetsnaz special operations forces and the “active measures” unit that murdered a Russian defector with radiation poisoned tea, also employs full-time hackers.       

According to Metcalf, the hacker unit used the routers to facilitate malicious Domain Name System (DNS) hijacking operations against worldwide targets of intelligence interest to the Russian government, including individuals in the military, government, and critical infrastructure sectors.

“Since at least 2024, GRU actors have exploited known vulnerabilities to steal credentials for thousands of TP-Link routers worldwide. The actors then accessed many of these compromised routers without authorization and manipulated their settings to redirect DNS requests to GRU-controlled servers – i.e., malicious DNS resolvers. GRU actors were indiscriminate in their initial targeting and manipulation of routers. The actors then implemented an automated filtering process to determine which DNS requests were of interest and warranted interception. For select targets, the GRU’s DNS resolvers provided fraudulent DNS records for specific domains that mimicked legitimate services — including Microsoft Outlook Web Access — to facilitate Actor-in-the-Middle attacks against encrypted victim network traffic. In doing so, the GRU actors harvested unencrypted passwords, authentication tokens, emails, and other sensitive information from devices on the same network as the compromised TP-Link routers,” the announcement stated.

“Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” said Metcalf. “In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively. Working with the FBI — and our partners around the world — we are committed to disrupting and exposing such threats to our nation’s cybersecurity.”

Assistant Attorney General for National Security John A. Eisenberg added. “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat,” said “NSD will continue to use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our Nation’s networks.”

“Operation Masquerade — led by FBI Boston — is the latest example of how we’re defending our homeland from Russia’s GRU, which weaponized routers owned by unsuspecting Americans in more than 23 states to steal sensitive government, military, and critical infrastructure information,” said Special Agent in Charge Ted E. Docks of the FBI’s Boston Field Office. 

“The FBI utilized cutting edge technology and leveraged our private sector and international partners to unmask this malicious activity and remediate routers. Now we’re asking everyone who has a router to secure it, update its firmware, and replace it if needed. By working together, we can guard against nefarious nation state actors trying to compromise our national security.”

“Operation Masquerade demonstrates the FBI’s commitment to identifying, exposing, and disrupting the Russian government’s efforts to compromise American devices, steal sensitive information, and target critical infrastructure,” said Assistant Director Brett Leatherman of FBI’s Cyber Division. “GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough. The FBI conducted a court-authorized operation to harden compromised routers across the United States. We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us. The FBI will continue to use its authorities to identify and impose costs on state-sponsored actors who target the American people.”

According to court documents unsealed in Philadelphia, the FBI developed a series of commands to send to compromised routers in the United States, designed to collect evidence regarding the GRU actors’ activity, reset DNS settings (i.e., remove GRU DNS resolvers and force routers to obtain legitimate DNS resolvers from their Internet Service Providers (ISPs)), and to otherwise prevent the GRU actors from exploiting the original means of unauthorized access.

As described in court documents, the government extensively tested the operation on firmware and hardware for affected TP-Link routers. Other than stymieing the GRU’s ability to access the routers, the operation did not impact the routers’ normal functionality or collect the legitimate users’ content information.

The court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets with hardware reset buttons. Legitimate users can also reverse changes by logging into web management pages and restoring desired settings (e.g., factory default settings).

The FBI is working with ISPs to provide notice of the operation to users of SOHO routers covered by the court’s authorization. If you believe you have a compromised router, please contact your local FBI field office or file a report with the FBI’s Internet Crime Complaint Center.

Paul Davis’s Crime Beat column appears here each week. He is also a contributor to Broad + Liberty and Counterterrorism magazine. He can be reached via pauldavisoncrime.com.  

email icon

Subscribe to our mailing list:

Related Articles

April 14, 2026

Decades later, abuse survivor pushes for legal reform

April 2, 2026

Paul Davis: ‘Born to Kill’ gangster joins FBI’s Most Wanted Fugitives list

March 26, 2026

Paul Davis: DA Gangbusters take down 21 violent Philly gang members

Leave a (Respectful) Comment

Your email address will not be published. Required fields are marked *