Feds quash widespread Russia-backed espionage network spanning 18,000 devices

Staff Editor 2026-04-07
Feds quash widespread Russia-backed espionage network spanning 18,000 devices

Feds quash widespread Russia-backed espionage network spanning 18,000 devices

https://cyberscoop.com/forest-blizzard-apt28-routers-espionage-campaign-operation-masquerade/

Publish Date: 2026-04-07 19:47:00

Source Domain: cyberscoop.com

Russian state-sponsored attackers compromised more than 18,000 routers spread across more than 120 countries to gain deeper access to sensitive networks for a large-scale espionage campaign before it was recently neutralized, researchers and authorities said Tuesday.

Forest Blizzard, also known as APT28 and Fancy Bear, exploited known vulnerabilities to steal credentials for thousands of TP-Link routers globally. The threat group, which is attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, hijacked domain name system settings and stole additional credentials and tokens via redirected traffic, the Justice Department said.

The threat group established an expansive espionage network by intruding systems of more than 200 organizations, impacting at least 5,000 consumer devices, Microsoft Threat Intelligence said in a report. 

Operation Masquerade, a collaborative takedown operation led by the FBI, aided by federal prosecutors, the National Security Division’s National Security Cyber section, Lumen’s Black Lotus Labs and Microsoft Threat Intelligence, involved a series of commands designed to reset DNS settings and prevent the threat group from further exploiting its initial means of access. 

“GRU actors compromised routers in the U.S. and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement. “The FBI conducted a court-authorized operation to harden compromised routers across the United States.”

Forest Blizzard’s widespread campaign involved adversary-in-the-middle attacks against domains mimicking legitimate services, including Microsoft Outlook Web Access. This allowed attackers to intercept passwords, OAuth tokens, credentials for Microsoft accounts, and other services and cloud-hosted content. 

Microsoft insists…

Source

More Stories

‘A new frontier model trained by Anthropic that we believe could reshape cybersecurity’: Project Glasswing wants to use AI to prevent AI cyberattacks — but will ‘overeager’ Claude Mythos do more damage than help?

‘A new frontier model trained by Anthropic that we believe could reshape cybersecurity’: Project Glasswing wants to use AI to prevent AI cyberattacks — but will ‘overeager’ Claude Mythos do more damage than help?

Staff Editor 2026-04-08
healthcare-cybersecurity.png

What the 2025 healthcare cybersecurity claims data reveals

Staff Editor 2026-04-08
Jones Day Faces Cybersecurity Scrutiny After Client Data Breach

Jones Day Faces Cybersecurity Scrutiny After Client Data Breach

Staff Editor 2026-04-08

Terms and Conditions - Privacy Policy