Back

GRU Compromises Home Routers in 23 States to Steal Outlook Credentials

Severity: Critical (Score: 80.8)

Sources: Techtimes, nvd.nist.gov, Cnet, www.lumen.com

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: routers, russian, military, intelligence, your, hackers, inside

Severity indicators: military

Summary

The FBI and partners disrupted a covert network of compromised TP-Link and MikroTik routers exploited by the Russian GRU (APT28) to steal Outlook credentials. This operation, known as Operation Masquerade, revealed that over 5,000 consumer devices across 23 states were affected, with the attack leveraging CVE-2023-50224, an authentication bypass flaw. The GRU hijacked routers by altering DNS settings, redirecting users to fake login pages without their knowledge. The operation began in August 2025 and peaked in December 2025, impacting over 200 organizations globally. Authorities have urged immediate action to secure routers, including firmware updates and changing default credentials. The UK National Cyber Security Centre confirmed the campaign's opportunistic nature, targeting individuals in sensitive sectors. The FBI's intervention involved restoring legitimate configurations on compromised devices without accessing user data. Key Points: • GRU exploited CVE-2023-50224 to hijack routers and steal Outlook credentials. • Over 5,000 consumer devices in 23 states were compromised in this operation. • Immediate action is recommended for router owners to secure their devices.

Detailed Analysis

**Impact** Over 18,000 routers were compromised globally at the attack's peak, with more than 5,000 consumer devices and over 200 organizations affected in the United States alone, spanning at least 23 states. Targeted sectors include military, government, and critical infrastructure, with confirmed victims in the US, Czech Republic, Italy, Lithuania, Poland, Ukraine, and the UAE. The attack resulted in stolen Microsoft Outlook credentials, including passwords and authentication tokens, enabling espionage and unauthorized access to sensitive communications. **Technical Details** The GRU Military Unit 26165 (APT28/Fancy Bear/Forest Blizzard) exploited CVE-2023-50224, an authentication bypass vulnerability in the TP-Link TL-WR841N router, to gain administrative control. Attackers changed DNS settings on compromised routers to redirect Outlook Web Access traffic to fake login pages, capturing credentials without user detection. The operation involved DNS hijacking to intercept unencrypted traffic, enabling persistent reconnaissance. Infrastructure included GRU-controlled DNS servers and a global network of compromised TP-Link and MikroTik SOHO routers. The FBI disrupted the campaign via court-authorized commands to restore legitimate DNS settings. **Recommended Response** Router owners should immediately update firmware to the latest versions or replace outdated devices, especially those no longer supported by manufacturers. Change default login credentials and perform factory resets if compromised to remove malicious DNS configurations. Organizations should deploy detections for anomalous DNS changes and monitor for suspicious network redirects. Federal agencies recommend following NSA best practices for network security and maintaining vigilance for further exploitation attempts.

Source articles (4)

  • Russian Hackers Are Inside American Home Routers. The FBI Has a 5-Step Fix — Cnet · 2026-05-22
    Most routers sit in a corner, ignored, and that's exactly what Russia's military intelligence unit was counting on. The GRU group known as APT28, responsible for some of the most significant state- ha…
  • Frostarmada Forest Blizzard Dns Hijacking — www.lumen.com · 2026-05-22
    A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic. In FrostArmada, Lumen observed Forest Blizzard using that technique to feed targeted logins into…
  • CVE-2023-50224 — nvd.nist.gov · 2026-05-22
    TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installat…
  • GRU Hijacked TP-Link Routers in 23 States to Steal Outlook Passwords: FBI Urges Immediate Action — Techtimes · 2026-05-21
    Your router spent the past two years quietly working for Russian military intelligence — and nothing on your screen would ever have told you so. On April 7, 2026, the FBI, Department of Justice, Natio…

Timeline

  • 2024-05-03 — CVE-2023-50224 published: An authentication bypass vulnerability in TP-Link routers was disclosed, allowing unauthorized access.
  • 2025-08-01 — GRU begins router exploitation: The GRU started hijacking TP-Link and MikroTik routers, targeting small-office/home-office devices.
  • 2025-09-03 — CVE-2023-50224 added to CISA KEV: The vulnerability was marked as actively exploited, prompting increased attention from cybersecurity agencies.
  • 2025-12-01 — Peak of router compromise: At its peak, over 18,000 routers worldwide were compromised, feeding data to GRU-controlled servers.
  • 2026-04-07 — Operation Masquerade announced: The FBI and partners disclosed the disruption of the GRU's router hijacking operation, urging immediate action from users.
  • 2026-05-21 — FBI restores router configurations: The FBI executed a court-authorized operation to restore legitimate DNS settings on compromised routers.

CVEs

  • CVE-2023-50224

Related entities

  • Apt28 (Apt Group)
  • Fancy Bear (Apt Group)
  • Forest Blizzard (Apt Group)
  • Kazuar (Apt Group)
  • Brute Force (Attack Type)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Man-in-the-Middle (Attack Type)
  • Phishing (Attack Type)
  • FrostArmada (Campaign)
  • Operation Masquerade (Campaign)
  • TP-Link (Company)
  • Fortinet (Company)
  • Afghanistan (Country)
  • Czech Republic (Country)
  • Italy (Country)
  • Lithuania (Country)
  • Poland (Country)
  • Russia (Country)
  • Ukraine (Country)
  • United Arab Emirates (Country)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • ic3.gov (Domain)
  • Energy (Industry)
  • Government (Industry)
  • Technology (Industry)
  • Authentic Antics (Malware)
  • LAMEHUG (Malware)
  • NotDoor (Malware)
  • T1005 - Data From Local System (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1557 - Adversary-in-the-Middle (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • MikroTik (Platform)
  • Nethesis (Platform)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed