Russian state-sponsored hackers compromised more than 18,000 routers across over 120 countries to burrow into sensitive networks for a large-scale espionage campaign, officials and researchers said — an operation that has now been disrupted. The group, Forest Blizzard (also known as APT28 and Fancy Bear and attributed to Russia's GRU military unit 26165), exploited known flaws to steal credentials for thousands of TP-Link routers worldwide.
According to the Justice Department, the attackers hijacked DNS settings and harvested additional credentials and tokens from redirected traffic. Microsoft Threat Intelligence said the network reached into more than 200 organizations and at least 5,000 consumer devices. The takedown, dubbed Operation Masquerade, was led by the FBI with federal prosecutors, the National Security Division's National Security Cyber section, Lumen's Black Lotus Labs, and Microsoft, using commands that reset DNS settings to cut off the attackers' access.
The campaign leaned on adversary-in-the-middle attacks against domains impersonating legitimate services, including Microsoft Outlook Web Access, to capture passwords, OAuth tokens, and account credentials; Microsoft said its own assets were not compromised. The actors opportunistically targeted edge devices from TP-Link and MikroTik before homing in on victims of intelligence value across government, IT, telecom, and energy. Lumen tied additional victims to Afghanistan's government and to foreign-affairs and law-enforcement bodies in North Africa, Central America, and Southeast Asia, plus one European country's national identity platform; it found no evidence US government agencies were breached.
Researchers believe the data theft has stopped. "The campaign has ceased," Black Lotus Labs engineer Danny Adamitis told CyberScoop, citing a steady decline in related traffic. Lumen traced the surge in router exploitation to August, a day after the UK's National Cyber Security Centre published analysis of a credential-stealing tool; the NCSC has since released indicators of compromise. The FBI said it remediated compromised routers across more than 23 US states under court authorization.