FBI and DOJ Dismantle Russian Military Intelligence Router Network

The U.S. Justice Department and FBI announced on April 7, 2026 that they had completed a court-authorized operation to disrupt a network of compromised routers being used by a unit within Russia's Main Intelligence Directorate, better known as the GRU. The operation targeted thousands of small office and home office (SOHO) routers that had been quietly hijacked to carry out DNS hijacking attacks against individuals and organizations in military, government, and critical infrastructure sectors.

The scale and method of the operation offer a clear window into how state-sponsored actors exploit overlooked consumer hardware to conduct sophisticated intelligence-gathering campaigns.

How the DNS Hijacking Attack Worked

The GRU unit exploited known vulnerabilities in TP-Link routers, a brand commonly found in homes and small businesses worldwide. Once inside a device, the attackers manipulated its DNS settings. DNS, or Domain Name System, is the process that translates a website address like "example.com" into the numerical IP address that computers use to connect. It functions, essentially, as the internet's address book.

By changing the DNS settings on compromised routers, the GRU was able to redirect traffic through servers they controlled, without the device owner ever knowing. This technique is known as an Actor-in-the-Middle attack. When victims attempted to visit legitimate websites or log into accounts, their requests were quietly rerouted. Because much of this traffic was unencrypted, the attackers were able to harvest passwords, authentication tokens, and email content in plain text.

The victims were not necessarily doing anything wrong. They were using their normal routers, visiting normal websites. The attack happened at the infrastructure level, below the visibility of most users and even many IT teams.

Why SOHO Routers Are a Persistent Target

Small office and home office routers have become a favored entry point for sophisticated threat actors for several reasons. They are numerous, often poorly maintained, and rarely monitored. Firmware updates on consumer routers are infrequent, and many users never change default credentials or review device settings after initial setup.

This is not the first time the FBI has had to intervene to clean up compromised router networks. Similar operations have targeted botnet infrastructure in previous years, involving hardware from multiple manufacturers. The consistency of this attack vector reflects a structural problem: routers sit at the boundary of every network but receive far less security attention than the devices behind them.

The Justice Department's court-authorized operation involved remotely modifying the compromised routers to sever the GRU's access and remove malicious configurations. This type of intervention is rare and requires judicial approval, signaling how seriously U.S. authorities viewed the threat.

What This Means For You

If you use a consumer router at home or in a small office, this operation is a direct signal that your hardware can become part of an intelligence operation without your knowledge or participation. The attack did not require victims to click a malicious link or download anything. It required only that their router run vulnerable firmware and that their internet traffic flow through it unencrypted.

There are concrete steps worth taking in response to this news.

First, check whether your router has available firmware updates and apply them. Router manufacturers regularly patch known vulnerabilities, but those patches are only useful if installed. Many routers allow automatic updates to be enabled through their settings interface.

Second, change default login credentials on your router. A large number of compromised devices in operations like this one are accessed using factory-default usernames and passwords that are publicly documented.

Third, consider what your internet traffic looks like as it leaves your router. Unencrypted traffic, whether HTTP connections, some email protocols, or certain app communications, can be read if your DNS is being redirected. Using encrypted DNS protocols such as DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) ensures that your DNS queries themselves cannot be intercepted or manipulated by a compromised router or a server it routes traffic through.

Fourth, a VPN can provide an additional layer of protection by encrypting traffic between your device and a trusted server before it ever reaches your router or your internet service provider. This means that even if your router's DNS has been tampered with, the contents of your traffic remain unreadable to anyone positioned between you and your destination.

None of these measures are complex or expensive, but the GRU operation shows clearly that unencrypted traffic and unpatched hardware create real exposure for real people, not just abstract risk.

The FBI's intervention disrupted this particular network, but the underlying vulnerabilities in consumer router hardware remain. Staying informed and taking basic protective steps is the most practical response to an attack surface that is unlikely to disappear.