The Spy in Your Living Room
You locked your front door. You set your alarm. You did everything right. But somewhere in your house, a small blinking box quietly betrayed you and the people on the other end were not ordinary criminals. They were Russian military intelligence.
That is not a hypothetical. It is exactly what happened to unsuspecting homeowners and small business owners across more than 23 states, and this week the U.S. Department of Justice and the FBI fought back.
On April 7, 2026, federal authorities announced the successful completion of Operation Masquerade — a court-authorized technical operation to neutralize a network of compromised home and small office routers that had been secretly hijacked by APT28, a hacking unit operating under Russia’s Main Intelligence Directorate, better known as the GRU. You may know APT28 by its other names: Fancy Bear, Forest Blizzard, Pawn Storm, or Sofacy Group. Whatever you call them, they are one of the most sophisticated and aggressive state-sponsored hacking organizations on the planet and for at least the past two years, they had been living inside American routers.
How They Did It
The operation the GRU ran was elegant in its deception. According to court documents unsealed in the Eastern District of Pennsylvania, GRU actors exploited known vulnerabilities to steal credentials for thousands of TP-Link routers worldwide. Once inside, they did not steal data directly or announce their presence in any way. Instead, they did something far more insidious: they quietly changed the router’s DNS settings.
DNS, the Domain Name System, is essentially the internet’s phone book. When you type “gmail.com” or “yourbank.com” into your browser, your router consults a DNS server to translate that name into a numerical address and send you to the right place. Under normal circumstances, that process happens in milliseconds and you never think about it.
The GRU replaced that honest process with a fraudulent one. By pointing compromised routers at their own DNS servers, they became the invisible middlemen between victims and the internet. They could then watch which websites victims visited, intercept traffic of interest, and serve up convincing fake versions of legitimate sites. Court documents specifically cited fake versions of Microsoft Outlook Web Access, the web portal millions of people use to check their work email remotely.
The result was an Actor-in-the-Middle attack of remarkable scale. The GRU’s servers harvested unencrypted passwords, authentication tokens, emails, and other sensitive information from every device on the same network as the compromised router — laptops, phones, tablets, smart TVs, all of it — without the victims ever knowing anything was wrong.
Who Was Targeted
The GRU was not randomly fishing. While their initial sweep of vulnerable routers was broad and indiscriminate, they ran an automated filtering process to identify which victims were worth monitoring closely. Their targets of interest included individuals in the military, government, and critical infrastructure sectors — people whose emails and passwords would be most valuable to Russian intelligence.
In other words: a soldier checking work email on their home router. A defense contractor logging into a government portal from their living room. A utility worker remotely accessing their company’s systems. All of them potentially compromised through a piece of consumer hardware they bought at Best Buy.
The FBI Strikes Back
Rather than simply warning the public, which the FBI noted was not enough given the scale of the threat, federal authorities obtained court authorization to conduct a direct technical operation. Working with private sector partners including Black Lotus Labs at Lumen and Microsoft Threat Intelligence, the FBI developed and deployed a series of commands to the compromised routers across the United States. Those commands collected evidence of GRU activity, stripped out the malicious DNS settings, and restored legitimate configurations, all without affecting normal router functionality or accessing users’ personal content.
The operation was tested extensively on actual TP-Link firmware and hardware before deployment. Affected router owners can reverse any changes at any time through a simple factory reset.
What You Need to Do Right Now
Operation Masquerade is over, but the vulnerability it exploited is not. The FBI is urging all home and small office router users to take four specific steps immediately.
Replace end-of-life routers. If your router is no longer receiving manufacturer support or firmware updates, it is a sitting target. Check TP-Link’s end-of-life product list at their official website and replace outdated hardware.
Update your firmware. Router manufacturers release firmware updates specifically to patch the kinds of vulnerabilities the GRU exploited. Log into your router’s admin page and check for updates, or enable automatic updates if your router supports them.
Check your DNS settings. Log into your router’s admin interface and look at which DNS servers are listed. Your DNS should be pointing to your ISP’s servers, or to well-known public DNS services like Google (8.8.8.8) or Cloudflare (1.1.1.1). If you see unfamiliar IP addresses you did not set, that is a red flag.
Limit remote management access. Unless you specifically need it, disable remote management on your router. This closes the door that attackers most commonly use.
If you believe your router has been compromised, contact your local FBI field office or file a report at IC3.gov.
A Warning That Could Not Be More Timely
Regular readers will recall last week’s column on the FCC’s ban on new foreign-made consumer routers, which cited the Volt, Flax, and Salt Typhoon attacks as evidence that home routers had become a front line of national security. Operation Masquerade confirms that concern is not theoretical. The router on your kitchen counter is not just a convenience. It is infrastructure, and nation-state adversaries know it better than most Americans do.
The FBI put it plainly: defending our networks requires all of us. That starts with the small blinking box you probably have not thought about since you set it up years ago.
Stay safe out there, and I’ll see you next week!
Feeling lost in the digital world? Dr. Tom is here to help!
Sign up for our Sunday Spectator. Delivered to your inbox every Sunday, with all the news from the week.
