GRU Compromises Home Routers in 23 States to Steal Outlook Credentials

GRU Compromises Home Routers in 23 States to Steal Outlook Credentials

First seen 22 May 2026, 03:56 UTC TechtimesCnetwww.lumen.comnvd.nist.govFoxnews 87% similarity 80.8

Article Content

Browse articles
ThreatCluster

The FBI and partners disrupted a covert network of compromised TP-Link and MikroTik routers exploited by the Russian GRU (APT28) to steal Outlook credentials. This operation, known as Operation Masquerade, revealed that over 5,000 consumer devices across 23 states were affected, with the attack leveraging CVE-2023-50224, an authentication bypass flaw. The GRU hijacked routers by altering DNS settings, redirecting users to fake login pages without their knowledge. The operation began in August 2025 and peaked in December 2025, impacting over 200 organizations globally. Authorities have urged immediate action to secure routers, including firmware updates and changing default credentials. The UK National Cyber Security Centre confirmed the campaign's opportunistic nature, targeting individuals in sensitive sectors. The FBI's intervention involved restoring legitimate configurations on compromised devices without accessing user data.

Key Points: • GRU exploited CVE-2023-50224 to hijack routers and steal Outlook credentials. • Over 5,000 consumer devices in 23 states were compromised in this operation. • Immediate action is recommended for router owners to secure their devices.

ThreatCluster AI

Timeline

2024-05-03
CVE-2023-50224 published
An authentication bypass vulnerability in TP-Link routers was disclosed, allowing unauthorized access.
Techtimes
2025-08-01
GRU begins router exploitation
The GRU started hijacking TP-Link and MikroTik routers, targeting small-office/home-office devices.
Cnet
2025-09-03
CVE-2023-50224 added to CISA KEV
The vulnerability was marked as actively exploited, prompting increased attention from cybersecurity agencies.
Techtimes
2025-12-01
Peak of router compromise
At its peak, over 18,000 routers worldwide were compromised, feeding data to GRU-controlled servers.
Techtimes
2026-04-07
Operation Masquerade announced
The FBI and partners disclosed the disruption of the GRU's router hijacking operation, urging immediate action from users.
Cnet
2026-05-21
FBI restores router configurations
The FBI executed a court-authorized operation to restore legitimate DNS settings on compromised routers.
Techtimes

Community

Browse all →