The FBI and Justice Department said last week they carried out a court-authorized operation to neutralize a U.S. portion of a router network compromised by Russian military intelligence, moving to cut off access that investigators said was being used for espionage against targets around the world. The devices were small office and home office routers whose settings had been manipulated to send traffic to servers controlled by the GRU.
Brett Leatherman said Russian GRU cyber actors had compromised vulnerable routers in the United States and abroad, hijacking them to conduct espionage. He said unsuspecting Americans in at least 23 states owned routers that were exploited by Russian military intelligence, and that the FBI moved against the network because of the scale of the threat. The compromised devices included thousands of TP-Link routers taken over with known vulnerabilities, then adjusted so requests were redirected to GRU-controlled DNS resolvers.
The operation was aimed at blocking a broader campaign of malicious Domain Name System hijacking that intelligence officers said touched military, government and critical infrastructure targets of interest to Moscow. The FBI said it collected evidence from the compromised routers and reset their DNS settings so they were no longer pointed at the GRU’s resolvers. Federal officials said they extensively tested the work on the firmware and hardware used in affected TP-Link routers and found it did not harm normal functionality or collect legitimate users’ content information.
The case also shows how deeply ordinary consumer equipment can be folded into state cyber operations. Leatherman said the FBI, National Security Agency and international partners from 15 countries released a public service announcement with technical information and defensive guidance for small office and home office devices. That guidance urges users to replace end-of-life routers, install the latest firmware, verify the authenticity of DNS resolvers in router settings and review firewall settings. He said rebooting a router can help with some threats, but not this one.
The tension in the operation is that the same home routers most people would never think twice about were used as a layer of cover for Russian intelligence activity, and ordinary users in at least 23 states were caught in the middle. With the U.S. portion disrupted, the remaining question is how much of the broader network survives outside the country and how quickly vulnerable devices will be patched, replaced or pulled out of service before they can be used again.
