A Sweeping Espionage Campaign Hidden in Plain Sight
A recently concluded FBI-led cyber operation targeted one of the most insidious and far-reaching espionage campaigns attributed to Russian government hackers, according to Brett Leatherman, assistant director of the FBI's cyber division. Speaking with CyberScoop, Leatherman described how the effort — dubbed Operation Masquerade — dismantled infrastructure used by APT28, a hacking group also known as Forest Blizzard or Fancy Bear and formally attributed to Russia's Main Intelligence Directorate of the General Staff (GRU).
Researchers alongside U.S. and foreign government agencies this week released details showing that APT28 had compromised more than 18,000 TP-Link routers and successfully infiltrated more than 200 organizations worldwide. The routers targeted were primarily those deployed in small office and home office environments — everyday devices that most users trust without scrutiny.
Why Router-Based Attacks Are Especially Dangerous
What made this particular campaign so alarming, Leatherman explained, was the cascading effect that router-level compromise enables. When threat actors manipulate the internet settings on a router, every single device connected to that network is affected.
"What's unique to me in this one is that when you change the internet settings in a router like they did, it propagates to all the devices in your house. All those devices now, once they're connected to that Wi-Fi, are getting the malicious IP addresses that they are then routing their traffic through, and it gives the Russian GRU tremendous access to the content offered through a router itself."
Compounding the threat was the near-total invisibility of the campaign to its victims. Unlike conventional cyberattacks that rely on deploying malware onto endpoint devices, APT28 leveraged the router's own built-in tools to intercept and redirect internet traffic — a technique that sidesteps most standard detection methods.
"The difficulty in an attack like this is that it's virtually invisible to the end users. Actors were not deploying malware like we often see. And so when you think about endpoint detection on your computer or something like that, it's not seeing that activity because they don't have to. They're using the tools on the router itself to capture your internet traffic and extend it throughout the house, and so traditional tools that detect that activity [are] just not there."
How Operation Masquerade Actually Worked
The FBI's tactical response involved sending commands directly to the compromised routers in order to reset their Domain Name System (DNS) settings. By reverting these settings, authorities were able to prevent the GRU-linked hackers from continuing to exploit the redirected traffic. The operation effectively slammed the door on access that had previously been near-unlimited.
Leatherman credited the FBI's Boston field office as central to the operation's success, alongside partnerships with the private sector and cooperating foreign governments. The operation was not carried out in isolation but was part of a broader, evolving strategy to counter state-sponsored cyber threats at the infrastructure level.
A Pattern of Escalating Disruptions Since 2018
Operation Masquerade represents the latest in a series of FBI-led disruptions targeting Russian government-affiliated hacking groups, with roots stretching back nearly a decade.
- 2018: The FBI took on the VPNFilter botnet by seizing a domain used to communicate with infected routers.
- 2022: The bureau dismantled the Cyclops Blink botnet, another GRU-linked network of compromised devices.
- 2024: Operation Dying Ember went after yet another botnet tied to Russian state hackers.
Leatherman described this progression as a deliberate maturation of FBI cyber capabilities in response to an adversary that has continuously adapted its methods.
"Over the course of those four operations, while the adversary continued to evolve in their tradecraft, so did we. We moved from just sinkholing domains to actually taking steps that block them at the door of these routers, pulled any capability off of those routers so they were no longer able to collect the sensitive information, and then prohibited them from getting back in."
Alignment With the Trump Administration's Cyber Strategy
The operation also aligns closely with the cyber strategy published by the Trump administration last month, which emphasizes offensive action against malicious hackers and the protection of critical infrastructure. Leatherman confirmed that the FBI understands its role within that broader strategic framework and worked with the Office of the National Cyber Director and other agencies during its development. However, the White House has largely kept both the public and Capitol Hill uninformed about how the strategy is being implemented in practice.
Leatherman emphasized that disruptive operations like Masquerade are deeply embedded in the bureau's institutional identity and long-term mission.
"We've got a long track record of leveraging unique authorities and capabilities to counter these actors, to impose costs, and through the 56 field offices to really defend critical infrastructure. That's part of our DNA, really. And so we want to make sure that we continue to align that in the most scalable and agile way we can, to align with the priorities of the strategy itself."
What This Means for Ordinary Users
The scope and methodology of the APT28 campaign serve as a stark reminder that home and small office routers represent a largely underappreciated attack surface. Because such devices rarely run traditional endpoint security software, and because most users never inspect their DNS configurations, state-sponsored actors can exploit them for prolonged periods without detection.
Security professionals recommend periodically checking router DNS settings, keeping firmware updated, and replacing end-of-life devices that no longer receive security patches. Operation Masquerade demonstrates that even when government agencies intervene at scale, the underlying vulnerability — poorly monitored consumer networking hardware — remains a persistent challenge.
Source: CyberScoop