In April 2026, the FBI and Department of Justice announced they had quietly broken into thousands of compromised home and small office routers across the United States — not to cause harm, but to undo damage already done by Russian military hackers. The operation was called Operation Masquerade. The group behind the original attack: APT28, also known as Fancy Bear, Forest Blizzard, and linked directly to Russia's GRU military intelligence agency.
Your TP-Link or MikroTik router sitting next to your modem right now may have been one of their tools. And you would not have known.
Who Is APT28 and Why Are They Targeting Home Routers?
Their latest campaign, codenamed FrostArmada by Lumen's Black Lotus Labs, began quietly in May 2025. By August 2025 it had scaled dramatically. At its peak in December 2025, over 18,000 unique IP addresses from at least 120 countries were communicating with APT28's infrastructure. More than 200 organisations and 5,000 consumer devices were confirmed compromised by Microsoft's own threat intelligence team.
The targets were primarily government agencies — ministries of foreign affairs, law enforcement bodies, defence contractors — but the method of attack ran straight through ordinary home routers. If you happened to be connected to a compromised router while checking your work email or logging into Microsoft 365, your credentials were being collected. Spy or schoolteacher — your credentials were harvested either way.
"The GRU hijacked routers belonging to unsuspecting users in over 23 US states, turning them into espionage platforms." — FBI Special Agent Ted E. Docks
How the Attack Actually Works: The DNS Hijack Explained
Most people have a vague idea that DNS means "Domain Name System" — it's what translates a web address like gmail.com into an actual server IP address your device can reach. What most people don't know is that this setting lives on your router, and if someone changes it, every device connected to your WiFi — your phone, laptop, smart TV, everything — starts asking a different server for directions.
That's exactly what APT28 did.
They exploited known vulnerabilities in TP-Link and MikroTik routers to gain access — no malware required, no suspicious downloads. Once inside, they modified the router's DHCP and DNS settings to point to servers they controlled. From that moment, every DNS request from every device on that network flowed through APT28 infrastructure.
Here is the step-by-step of what happened inside a compromised network:
- You type outlook.com into your browser.
- Your device asks your router: "Where is outlook.com?"
- Your router, now pointing at APT28's DNS server, asks their server instead of Google or your ISP.
- Their server returns a fake IP — pointing to an attacker-controlled machine that looks identical to the real login page.
- You type your username and password. You see an error or get redirected normally. You think nothing happened.
- APT28 now has your Microsoft credentials and OAuth authentication tokens.
This is called an Adversary-in-the-Middle (AitM) attack. The traffic you thought was encrypted and safe — it was intercepted before encryption even mattered. Your credentials were captured in plaintext at the point of entry.
Microsoft confirmed APT28 was specifically targeting Microsoft Outlook on the web domains using this method — described as the first time Forest Blizzard had used DNS hijacking at this scale to intercept TLS connections after exploiting edge devices.
Which Routers Were Targeted
The campaign specifically focused on older, unpatched small office/home office (SOHO) routers. The UK's National Cyber Security Centre (NCSC) published an advisory listing over 20 TP-Link models confirmed as targeted. Confirmed affected models include:
TP-Link: Archer C5, Archer C7, WDR3500, WDR3600, WDR4300, WR1043ND, MR3420, MR6400, WR740N, WR840N, WR841N, WR842N, WR845N, WR941ND — and more. Archer AX6000, AX3000, AC1750 variants were also identified by separate research.
MikroTik: Devices running RouterOS versions prior to 7.14.2, including the hAP ac2, hAP ac3, and Cloud Core Router series.
The targeting was described as opportunistic — APT28 cast a wide net, compromised everything vulnerable, and then filtered the resulting pool for targets of intelligence interest. That means even if you are not a government employee, your router could have been used as a relay or stepping stone in their infrastructure.
Why Nobody Noticed
Black Lotus Labs engineer Ryan English confirmed: the GRU hackers did not need to install anything on the routers. They simply changed a setting. A single DNS field in the router configuration, pointing to their server instead of yours. That's all it took to intercept months of traffic.
Most home users never log into their router admin panel at all. Many don't even know their router's brand or model — the label is on the bottom of a device that's been sitting behind their television for five years. There is no antivirus for your router. Your phone and laptop are protected; the device routing all their traffic is not.
The FBI Quietly Broke Into Your Router to Fix It
On April 7, 2026, the FBI announced it had executed court-approved commands on compromised US-based TP-Link routers — collecting forensic data, resetting hijacked DNS configurations, and cutting APT28's access. They did this without notifying device owners first, and without altering any personal content on the devices.
This was the second time in recent years the FBI had done this. In 2024, a similar court-ordered operation cleaned up a Chinese botnet that had hijacked hundreds of SOHO routers.
Here's the uncomfortable truth: the FBI fixed your router for you, but they can't guarantee it stays fixed. If your router is still running old firmware and using a default password, it is vulnerable to the exact same attack again — from APT28 or anyone else who decides to try.
Intelligence agencies from 16 countries joined the advisory. The FBI said the operation involved partners from more than 15 nations.
What You Need to Do Right Now
This is not the "change your password" advice you've heard a hundred times and ignored. These are specific, technically grounded steps based on what this attack actually exploited.
1. Find out what router you have. Check the label on the bottom or back. Log into your router admin panel — usually at 192.168.0.1 or 192.168.1.1 in your browser. If you don't know your admin password, it's probably the default printed on the device label — which is exactly the problem.
2. Update your firmware immediately. MikroTik users need RouterOS version 7.14.2 or later. TP-Link users need firmware released after March 2025. Download only from the manufacturer's official website — not third-party sources. Log into your router admin panel, find the firmware update section, and do it now. Not this weekend. Now.
3. Change your admin password. The default password on your router is public knowledge — it's printed on the box and listed in online databases. APT28 used this. Change it to something over 16 characters with mixed characters. Write it on a piece of paper and tape it to the router if you have to — anything is better than the default.
4. Check your DNS settings. In your router admin panel, find the DNS settings (usually under WAN or Internet settings). Your DNS should point to a known, trusted address — 1.1.1.1 (Cloudflare), 8.8.8.8 (Google), or your ISP's DNS. If you see an unfamiliar IP address listed there that you did not set, your router may have been compromised. Screenshot it, do a factory reset, update firmware, and reconfigure from scratch.
5. Disable remote management. Most consumer routers have an option to manage the router from outside your home network — this is the exposure APT28 exploited. Log into your admin panel and confirm "Remote Management" or "WAN Access" to the admin interface is turned off.
6. Use a VPN. A VPN routes your DNS requests through the VPN provider's own servers, bypassing your router's DNS settings entirely. Even if your router had been hijacked during FrostArmada, a VPN would have prevented APT28's fake DNS servers from redirecting your traffic. This is one of the few cases where VPN advice is technically precise and not just marketing.
If Your Router Model Is on the Target List
If your TP-Link or MikroTik model appears in the advisory — especially older Archer series or any WR/WDR model — treat the device as potentially compromised regardless of whether the FBI has already intervened. Perform a complete factory reset, then flash the latest available firmware before reconnecting to the internet. Do not simply reset to factory and re-enter your old configuration — that restores the same vulnerable state APT28 exploited in the first place.
If your router is an end-of-life model with no available firmware updates — which is the case for several of the models on the list — replace the device. A router that cannot receive security patches is a permanently open door. Consumer routers cost between ₹1,500 and ₹5,000 for a reliable modern model. The cost of compromised credentials is significantly higher.
The Bigger Picture
What makes FrostArmada significant beyond its scale is what it reveals about how modern state-level attacks have shifted. APT28 did not need to breach a firewall or compromise an endpoint. They targeted the device sitting between you and the internet — the one device almost nobody secures, monitors, or updates — and used it to silently intercept months of authentication traffic from thousands of people across 120 countries.
Home routers are the soft underbelly of personal cybersecurity. They connect everything and are protected by almost nothing. No antivirus reaches them. Most ISPs never push firmware updates automatically. Most users never think about them at all.
APT28 thought about them very carefully.
The FBI cleaned up what they could. Whether your router stays clean from here is entirely up to you.
Sources: FBI / DOJ Operation Masquerade announcement (April 7, 2026), UK NCSC advisory, Lumen Black Lotus Labs FrostArmada report, Microsoft Threat Intelligence, SecurityWeek, BleepingComputer, Krebs on Security.
){kind=link}