The Department of Justice revealed on Tuesday a court-authorized operation to disrupt a Russian hacking campaign against internet routers in the U.S. But why is Russia targeting internet routers in the homes and offices of Americans? And what can people do to protect themselves?
Since 2024, Russia’s military intelligence agency, known as the GRU, has compromised thousands of routers across the globe. Primarily, the routers targeted include those built by the Chinese firm TP-Link, which are widely used in the U.S., and the Latvian firm MikroTik, which are common across Eastern Europe.
The hackers, part of the GRU’s 85th Main Special Service Center, have been exploiting vulnerabilities in routers in order to steal their login credentials. Once compromised, the hackers changed the routers’ settings to redirect DNS requests to servers controlled by Russia.
DNS, or the Domain Name Service, is often referred to as the phonebook of the internet. A DNS request allows a domain name, such as SAN.com, to be translated into an IP address readable by web browsers.
By carrying out these DNS hijacking attacks, the hackers redirected users to fraudulent versions of certain domains, including Microsoft Outlook Web Access, in order to break their encryption and intercept data such as passwords, browsing information and authentication tokens. Given that the hack takes place at the router-level, all connected devices — such as laptops, smartphones and or smart TVs — become vulnerable.
Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.
Point phone camera here
The Justice Department said the hackers “were indiscriminate in their initial targeting and manipulation of routers.” From there, however, the GRU implemented an automated filtering process that alerted it to specific DNS requests deemed worthy of interception.
In other words, while the hackers exploited any and all vulnerable routers they could, further attacks were aimed at targets of interest.
Dmitri Alperovitch, co-founder of the cybersecurity firm CrowdStrike and chairman of the geopolitical think tank Silverado Policy Accelerator, told NPR that such attacks usually work in the reverse order.
“Usually, with these operations, they find a particular target,” Alperovitch said. “Let’s say it’s a person working for Ukrainian military, and they go after them for reasons that are self-explanatory. Here, they basically said, ‘Let’s find every vulnerable router of these two brands of routers around the world, and then we’ll sift through the data and see if any of them are useful.’”
‘Operation Masquerade’
Specific targets have not been named. But the Justice Department said that victims include “individuals in the military, government, and critical infrastructure sectors.”
The operation against the hacking campaign, dubbed Operation Masquerade, sent FBI-developed commands to compromised routers in the U.S. in order to not only collect evidence of the GRU’s activity but also to remove the malicious settings implemented by the hackers.
“Operation Masquerade demonstrates the FBI’s commitment to identifying, exposing, and disrupting the Russian government’s efforts to compromise American devices, steal sensitive information, and target critical infrastructure,” said Brett Leatherman, assistant director of FBI’s Cyber Division. “GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough. The FBI conducted a court-authorized operation to harden compromised routers across the United States.”
The Justice Department said the operation “did not impact the routers’ normal functionality or collect the legitimate users’ content information.”
The FBI is working with internet service providers to notify those whose routers were affected by the operation.
How to keep your router safe
Numerous U.S. agencies, including the FBI and the National Security Agency, are also issuing guidance on securing routers. Americans are urged to replace any outdated routers that no longer receive security updates and to replace any default login credentials with a unique username and password. Users can also perform a factory reset on their routers if needed to wipe any potentially altered settings.
Other tips include ensuring that your router is running the latest firmware and enabling automatic updates if available. Organizations that allow remote work, the FBI says, should also “review relevant policies regarding how employees access sensitive data, such as using VPNs and hardened application configurations.”
Although TP-Link routers are prevalent across the U.S., the Federal Communications Commission last month announced a ban on new routers from the company, given its alleged ties to the Chinese government.
Click Here For The Original Source.
