GRU Military Unit 26165, DNS Hijacking, Pennsylvania 2024

PHILADELPHIA – In a brazen display of cyber aggression, a Russian military intelligence unit has been caught hijacking American routers to steal sensitive information.

According to a court-authorized technical operation by the FBI, the unit within Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, has been exploiting known vulnerabilities in TP-Link routers worldwide since at least 2024.

The GRU actors, as they are known, stole credentials for thousands of routers and manipulated their settings to redirect DNS requests to GRU-controlled servers – malicious DNS resolvers. The actors then implemented an automated filtering process to determine which DNS requests were of interest and warranted interception.

The GRU actors were indiscriminate in their initial targeting and manipulation of routers, but implemented an automated filtering process to determine which DNS requests were of interest and warranted interception. For select targets, the GRU’s DNS resolvers provided fraudulent DNS records for specific domains that mimicked legitimate services – including Microsoft Outlook Web Access – to facilitate Actor-in-the-Middle attacks against encrypted victim network traffic.

“Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” said U.S. Attorney David Metcalf. “In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively. Working with the FBI — and our partners around the world — we are committed to disrupting and exposing such threats to our nation’s cybersecurity.”

“The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat,” said Assistant Attorney General for National Security John A. Eisenberg. “NSD will continue to use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our Nation’s networks.”

“Operation Masquerade — led by FBI Boston — is the latest example of how we’re defending our homeland from Russia’s GRU, which weaponized routers owned by unsuspecting Americans in more than 23 states to steal sensitive government, military, and critical infrastructure information,” said Special Agent in Charge Ted E. Docks, of the FBI’s Boston Field Office.

The FBI is urging all router owners to take steps to secure their devices, update firmware, and replace them if needed. By working together, they can guard against nefarious nation-state actors trying to compromise American devices and steal sensitive information.

Mandatory Facts: GRU Military Unit 26165, DNS Hijacking, Pennsylvania 2024. No defendant name is provided in the source.

Related Federal Cases