The Justice Department on Tuesday announced that it had stopped Russia’s military intelligence agency from using hacked U.S. routers to maliciously redirect internet traffic and steal data from victims that include governments and critical infrastructure operators.

Operatives of the Russian GRU have spent several years breaking into TP-Link small office and home office (SOHO) routers around the world and reconfiguring them to send DNS requests through Kremlin-controlled servers, which allowed Moscow to collect internet traffic and even passwords, emails and other sensitive information from victim networks. In response, the FBI launched “Operation Masquerade,” sending commands to hacked routers that collected forensic data and reset their DNS settings to erase Russia’s foothold in the devices.

DOJ announced the operation hours after Microsoft revealed Russia’s abuse of SOHO routers. “For nation-state actors like Forest Blizzard,” Microsoft said, “DNS hijacking enables persistent, passive visibility and reconnaissance at scale.”

Microsoft said it had evidence that the GRU hacking group — which researchers have dubbed APT28, Fancy Bear and Forest Blizzard — had been breaking into SOHO routers since at least August 2025. Federal prosecutors said the campaign had been ongoing since at least 2024.

In some cases, Microsoft and the government said, Russia used its access to victim networks to conduct adversary-in-the-middle (AiTM) attacks on secure connections to the Outlook email platform. “An automated filtering process” helped Russia select potentially high-value DNS requests to intercept, federal prosecutors said.

Hijacking DNS traffic to spoof Outlook and other widely used online services “enables the interception of cloud-hosted content,” Microsoft said, “impacting numerous sectors including government, information technology (IT), telecommunications, and energy — all usual targets for this actor.” The company said it had observed the hackers stealing data from “at least three government organizations in Africa.”

Russia’s broad access to compromised routers could help it dramatically scale up its adversary-in-the-middle attacks, Microsoft researchers warned. “Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”

The hackers could also use their access to routers for purposes other than information collection, Microsoft said, including delivering malware or conducting denial-of-service attacks. The company said it had not seen that activity so far.

Urgent recommendations to router owners

Businesses can avoid falling victim to similar attacks by upgrading their routers’ firmware, verifying their DNS settings, firewalling remote-management devices and replacing end-of-life equipment.

“Block known or malicious domains to prevent DNS-based attacks, and maintain detailed DNS logs to monitor, investigate, and gain insight into anomalous DNS traffic,” Microsoft said.

The UK.’s National Cyber Security Centre also published an advisory about the hacking campaign with recommendations. “If you cannot move off out-of-date platforms and applications straight away,” the agency said, “there are short term steps you can take to improve your position.”

Router owners should take the threat of DNS hijacking extremely seriously, said Nick Biasini, the head of outreach for Cisco’s Talos threat intelligence team.

“This access can allow them to inject or manipulate traffic in a variety of ways,” Biasini told Cybersecurity Dive. “There are obviously limitations with encrypted traffic and certificate pinning, but the attack surface increases significantly if the actor can hijack the user’s DNS traffic.”

Ramping up cyber deterrence efforts

Operation Masquerade is the latest in a yearslong series of FBI operations to kick foreign government hackers off of U.S. routers. The FBI has described those operations as part of its increasingly aggressive strategy of combating malicious cyber activity.

“Given the scale of this threat, sounding the alarm wasn’t enough,” Brett Leatherman, the head of the FBI’s Cyber Division, said in a statement about the government’s operation. “The FBI will continue to use its authorities to identify and impose costs on state-sponsored actors who target the American people.”

DOJ’s disruption of the Russian router network “will have a significant impact” on the Kremlin’s ability to sustain its hacking campaign, according to Danny Adamitis, a security engineer at Black Lotus Labs, which helped the government with the operation.

At the same time, he said, “the DNS ecosystem is an opportunity space that always has the potential for abuse,” and given Russia’s historic interest in router hijacking attacks, “I expect that they will reconstitute another botnet in the future.”