Overview
- Justice Department and FBI officials on Tuesday announced Operation Masquerade, a court-authorized effort that sent commands to compromised TP-Link routers in at least 23 states to remove GRU-controlled DNS settings.
- Investigators say APT28 exploited flaws in TP-Link and MikroTik devices since 2024, changing router DHCP and DNS so phones and laptops sent lookups to attacker servers that served fake login pages, including Outlook Web Access, to steal passwords and tokens.
- Lumen’s Black Lotus Labs reported at least 18,000 compromised devices across about 120 countries, while Microsoft said more than 200 organizations and 5,000 consumer devices were affected, including targets in government, military and critical infrastructure.
- Researchers describe a disrupted campaign with communications declining in recent weeks, and they note the adversary-in-the-middle technique often failed when users heeded browser certificate warnings for spoofed sites.
- Officials said the remediation did not collect user content and did not break normal router functions, and they urged owners to update firmware, replace unsupported models, verify DNS settings and disable unnecessary remote management, crediting Microsoft, Lumen and MIT Lincoln Laboratory for support.