Russia’s APT28 Hijacked 18,000 Routers in 120 Countries to Steal Outlook Passwords — FBI Issues 5-Step Fix

GigaNectar Team

NewsTechnology
A shadowed hand with digital code overlay representing a cybersecurity threat or hacker activity
Operation Masquerade APT28 · GRU Unit 26165 April 2026
Your Wi-Fi Router May Have Been Watching You for Russia

The U.S. Department of Justice and the FBI confirmed on April 7, 2026, that Russia’s military intelligence unit — GRU’s APT28, also known as Fancy Bear and Forest Blizzard — quietly compromised thousands of home and small-office routers across more than 23 U.S. states. The operation, named Operation Masquerade, involved redirecting every website request that passed through those devices to GRU-controlled servers, where credentials for services like Microsoft Outlook were intercepted before the traffic reached its real destination. This piece covers how the attack worked, which routers were targeted, and the five steps the FBI says every router owner should take.

0 Routers compromised globally at December 2025 peak
120+ Countries with compromised devices at peak
200+ Organisations impacted in the US (Microsoft Threat Intelligence)
23+ US states where consumer devices were weaponised
How the Attack Worked
Click Each Step to Learn More
01
🔍
Scan & Exploit
02
🔑
Steal Credentials
03
⚙️
Rewrite DNS
04
🕵️
Filter Targets
05
📧
Intercept Traffic
APT28 actors scanned the internet for TP-Link routers running outdated firmware, specifically targeting CVE-2023-50224 — an unauthenticated flaw that lets an attacker extract stored credentials with a single crafted HTTP GET request.
Vulnerability
CVE-2023-50224 — The Single Flaw Behind the Campaign
CVE ID CVE-2023-50224
CVSS Score 6.5 — Medium
Affected Device TP-Link WR841N & related legacy models
Attack Type Unauthenticated credential extraction via HTTP GET
Second Stage DHCP DNS setting overwrite → routes traffic to GRU servers
TP-Link Advisory tp-link.com/us/support/faq/5058
Affected Hardware
23 TP-Link Models Named by the UK’s NCSC

The UK National Cyber Security Centre identified the following TP-Link models. All have reached End-of-Life status. Scroll to view the full list. The campaign’s focus on harvesting Microsoft 365 credentials is part of a broader trend in AI-era corporate credential attacks — context covered in Giganectar’s piece on enterprise AI platform security spending.

TL-WR841NPrimary exploit target · CVE-2023-50224
MR6400LTE Wireless N Router
Archer C5Dual Band Gigabit
Archer C7Dual Band Gigabit
WDR3600Dual Band Gigabit
WDR4300Dual Band Gigabit
WDR3500Dual Band Router
WR740NWireless Lite N
WR741NDWireless Lite N
WR749NWireless Lite N
MR3420N 3G/4G Router
WA801NDWireless N Access Point
WA901NDWireless N Access Point
WR1043NDN Gigabit Router
WR1045NDN Gigabit Router
WR840NWireless N Router
WR841HPWireless N Router
WR841NDWireless N Router
WR842NWireless N Router
WR842NDWireless N Router
WR845NWireless N Router
WR941NDWireless N Router
WR945NWireless N Router

TP-Link confirmed these models are outside its standard maintenance lifecycle. Security patches for select legacy models are listed on the TP-Link security advisory page. The company recommends upgrading to a supported device where possible.

FBI Guidance
The 5-Step Fix — Check Off Each One

The FBI’s IC3 advisory (PSA260407) and the NSA recommend the following steps for all SOHO router owners. Click each item to mark it done.

01
Upgrade Your Router
If your model appears in the NCSC list above, replace it now. End-of-life devices receive no firmware updates — every day you keep one running is a day it can be re-exploited. TP-Link’s security advisory lists patches for select legacy models where technically possible.
02
Update Firmware Regularly
Log into your router’s admin panel or app and enable automatic firmware updates if available. If not, check manually — firmware patches close the exact vulnerabilities state actors look for.
03
Reboot Weekly
The NSA’s guidance recommends rebooting your router, smartphone, and computers at least once a week. Regular reboots help remove implants and clear malicious DNS resolvers that may have been injected.
04
Change Default Credentials
Default router usernames and passwords are public knowledge — they are the first thing automated scanners try. Change both your router admin login and your Wi-Fi password. Use a long, random combination. Update your Wi-Fi password at least every six months.
05
Disable Remote Management & Use a VPN
Most home users do not need remote management — disabling it removes one of the primary ways attackers alter router settings without physical access. For organisations with remote workers, the FBI specifically recommends a VPN for accessing sensitive data, as it encrypts traffic even if DNS is compromised.
ROUTER SECURITY CHECKLIST
0 / 5
Timeline
How Operation Masquerade Unfolded
2024 (at least)
APT28 actors begin exploiting known vulnerabilities in SOHO routers worldwide to steal credentials, according to the FBI’s IC3 advisory. TP-Link models are specifically targeted via CVE-2023-50224.
August 2025
The DNS hijacking campaign — rerouting traffic through GRU-controlled servers — begins in earnest, with Microsoft Threat Intelligence tracking the operation from this point. Over 200 organisations and 5,000 consumer devices in more than 23 US states are later identified as impacted.
December 2025
The operation reaches its peak: more than 18,000 routers across at least 120 countries are actively feeding DNS query data to GRU-controlled virtual private servers.
March 23, 2026
The US Federal Communications Commission bans imports of all new foreign-manufactured consumer routers, citing documented attacks by Russian and Chinese state actors as evidence of a severe cybersecurity risk to US critical infrastructure. TP-Link, which held approximately 65 percent of the American home router market, faces the greatest impact from this rule.
April 7, 2026
The DOJ and FBI announce Operation Masquerade — a court-authorised technical operation to neutralise the US portion of the network. The UK’s NCSC, NSA, and 15 partner nations release coordinated advisories. The FBI remotely resets DNS settings on compromised US routers, removing GRU resolvers and blocking the group’s original means of re-entry.
Coverage Summary

The DOJ, FBI, UK NCSC, NSA, and 15 partner nations have all been covered above, along with the five steps recommended for router owners. The FBI’s IC3 advisory and TP-Link’s security advisory page remain the primary references for checking whether your device is affected and for guidance on remediation. Operation Masquerade was also discussed in the context of the broader US-China tech decoupling debate, as the FCC’s router import ban was issued weeks before the advisory. Related coverage on state-level cyber threats to networks is available in Giganectar’s reporting on AI infrastructure security and device-level security requirements. The social conversation around Operation Masquerade has continued across platforms since the April 7 announcement. Additional background on network security at the carrier level was covered in Giganectar’s piece on T-Mobile’s 5G network architecture.

Sources FBI IC3 DOJ NCSC UK TP-Link Advisory CISA

Leave a comment

About Us

Subscribe

Contact Us

Powered By Karmactive

PRIVACY POLICY Adsense Disclaimer