A Global Espionage Network Brought Down
Federal authorities and cybersecurity researchers announced Tuesday that a sweeping Russian state-sponsored espionage campaign, which had compromised more than 18,000 routers spread across over 120 countries, has been successfully dismantled. The operation, dubbed Operation Masquerade, was led by the FBI and assisted by federal prosecutors, the National Security Division's National Security Cyber section, Lumen's Black Lotus Labs, and Microsoft Threat Intelligence.
The threat actor behind the campaign is Forest Blizzard, also tracked as APT28 and Fancy Bear. This group is formally attributed to Russia's Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165. By exploiting known vulnerabilities in consumer-grade routers — primarily TP-Link and MikroTik devices — the group was able to build an extensive covert infrastructure designed to facilitate deep access into sensitive networks worldwide.
How the Attack Worked
Forest Blizzard's methodology centered on adversary-in-the-middle (AiTM) attacks. The group hijacked domain name system (DNS) settings on compromised routers to redirect traffic through attacker-controlled infrastructure. By impersonating legitimate services — including Microsoft Outlook Web Access — they were able to intercept and steal a range of sensitive credentials, including:
- Passwords for Microsoft accounts and other services
- OAuth tokens
- Credentials for cloud-hosted content and platforms
Microsoft was quick to clarify that no company-owned assets or services were directly compromised during this campaign. The attackers initially targeted network edge devices opportunistically before narrowing their focus to individuals and organizations of specific intelligence value to the Russian government.
Scale of the Intrusions
According to Microsoft Threat Intelligence, Forest Blizzard breached the systems of more than 200 organizations and affected at least 5,000 consumer devices. The FBI confirmed that GRU actors had weaponized routers owned by Americans in more than 23 U.S. states to harvest sensitive government, military, and critical infrastructure data.
Victims spanned a broad range of sectors. Researchers identified compromised entities in:
- Government agencies
- Information technology and telecommunications firms
- Energy sector organizations
Lumen's Black Lotus Labs uncovered additional victims linked to Afghanistan's government, foreign affairs ministries, and national law enforcement agencies in North Africa, Central America, and Southeast Asia. An unnamed European country's national identity platform was also among those impacted, Lumen reported. Despite the breadth of the intrusions, Lumen found no evidence that any U.S. government agencies were compromised in this particular campaign, though the company stressed that the activity represents a serious national security threat.
FBI Takes Court-Authorized Action
Rather than simply issuing warnings, the FBI obtained a court order enabling it to take direct action on compromised routers located within the United States. The operation involved pushing a series of commands to affected devices designed to reset DNS configurations and block Forest Blizzard's continued use of its initial access vectors.
"GRU actors compromised routers in the U.S. and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn't enough. The FBI conducted a court-authorized operation to harden compromised routers across the United States." — Brett Leatherman, Assistant Director of the FBI's Cyber Division
The evidence collected during the operation contributed to a broader understanding of Forest Blizzard's tactics, though investigators noted that the full scope of what the group achieved remains under investigation.
The Campaign's Timeline and Trigger
Lumen's researchers observed a notable uptick in widespread router exploitation and DNS redirection activity beginning in August — specifically the day after the United Kingdom's National Cyber Security Centre (NCSC) published a malware analysis report detailing a tool used to steal Microsoft Office credentials. This timing suggests that Forest Blizzard may have accelerated its operations in anticipation of increased scrutiny following that public disclosure.
On Tuesday, the UK's NCSC also published its own detailed account of APT28's DNS hijacking campaign, including indicators of compromise that organizations can use to assess their own exposure.
Campaign Declared Over — For Now
Researchers expressed confidence that the active exfiltration of sensitive information has come to a halt. Danny Adamitis, distinguished engineer at Black Lotus Labs, told CyberScoop:
"The campaign has ceased. We have observed a gradual decline in communications associated with this infrastructure over the past several weeks."
While the takedown represents a significant disruption to one of Russia's most active cyber-espionage units, the broader threat posed by Forest Blizzard and similar state-sponsored groups remains very much alive. The operation underscores the growing willingness of U.S. authorities to move beyond passive monitoring and take active, court-sanctioned steps to disrupt foreign intelligence cyber operations targeting American infrastructure and allies abroad.
Source: CyberScoop