Paul Davis On Crime: The Russians Are Coming: My Philly Daily Crime Beat Column On The Russian GRU Unit That Is Hijacking Routers To Steal Sensitive Information

Thursday, April 23, 2026

The Russians Are Coming: My Philly Daily Crime Beat Column On The Russian GRU Unit That Is Hijacking Routers To Steal Sensitive Information

Philly Daily ran my Crime Beat column on Russian GRU hackers.

You can read the column via the link below or the following text:

Davis: The Russians are coming to a computer near you - Philly Daily

Earlier this month, the National Security Agency (NSA) and other federal agencies co-sealed an FBI public service announcement, “Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information.”

The public service announcement accompanied an announcement from U. S. Attorney David Metcalf in Philadelphia, the Department of Justice, and the FBI that a court-authorized technical operation to neutralize the U.S. portion of a network of small office/home office (SOHO) routers compromised by a unit within Russia’s Main Intelligence Directorate of the General Staff (GRU: Glavnoye Razvedyvatelnoe Upravlenis) Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

Having spent more than 37 years doing security work as a young sailor in the U.S. Navy and later as a Defense Department civilian, I’m well-aware of the Russian GRU, which is essentially the same gang as the old Soviet GRU. (Above is the GRU emblem).

The GRU is the Russian military intelligence agency that operates worldwide alongside the Russian foreign intelligence agency the SVR, which is essentially the old First Main Directorate of the old KGB.

During my time in the Defense Department, I was trained to guard against the KGB (later the SVR) and the GRU. I often traveled to Washington D.C. to receive briefings from the FBI, CIA, DIA and NSA on the threat from the SVR/KGB and the GRU.

The GRU, the military group that includes the Spetsnaz special operations forces and the “active measures” unit that murdered a Russians defector with radiation poisoned tea, also employs full-time hackers.

According to Metcalf, the hacker unit used the routers to facilitate malicious Domain Name System (DNS) hijacking operations against worldwide targets of intelligence interest to the Russian government, including individuals in the military, government, and critical infrastructure sectors.

“Since at least 2024, GRU actors have exploited known vulnerabilities to steal credentials for thousands of TP-Link routers worldwide. The actors then accessed many of these compromised routers without authorization and manipulated their settings to redirect DNS requests to GRU-controlled servers - i.e., malicious DNS resolvers. GRU actors were indiscriminate in their initial targeting and manipulation of routers. The actors then implemented an automated filtering process to determine which DNS requests were of interest and warranted interception. For select targets, the GRU’s DNS resolvers provided fraudulent DNS records for specific domains that mimicked legitimate services — including Microsoft Outlook Web Access — to facilitate Actor-in-the-Middle attacks against encrypted victim network traffic. In doing so, the GRU actors harvested unencrypted passwords, authentication tokens, emails, and other sensitive information from devices on the same network as the compromised TP-Link routers,” the announcement stated.

“Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” said Metcalf. “In the face of continued aggression by our nation-state adversaries, the U.S. government will respond just as aggressively. Working with the FBI — and our partners around the world — we are committed to disrupting and exposing such threats to our nation’s cybersecurity.”

Assistant Attorney General for National Security John A. Eisenberg added. “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat,” said “NSD will continue to use every tool at our disposal to detect such intrusions and expel hostile foreign actors from our Nation’s networks.”

“Operation Masquerade — led by FBI Boston — is the latest example of how we’re defending our homeland from Russia’s GRU, which weaponized routers owned by unsuspecting Americans in more than 23 states to steal sensitive government, military, and critical infrastructure information,” said Special Agent in Charge Ted E. Docks, of the FBI’s Boston Field Office. “The FBI utilized cutting edge technology and leveraged our private sector and international partners to unmask this malicious activity and remediate routers. Now we’re asking everyone who has a router to secure it, update its firmware, and replace it if needed. By working together, we can guard against nefarious nation state actors trying to compromise our national security.”

“Operation Masquerade demonstrates the FBI’s commitment to identifying, exposing, and disrupting the Russian government's efforts to compromise American devices, steal sensitive information, and target critical infrastructure,” said Assistant Director Brett Leatherman of FBI’s Cyber Division. “GRU actors compromised routers in the US and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn't enough. The FBI conducted a court-authorized operation to harden compromised routers across the United States. We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us. The FBI will continue to use its authorities to identify and impose costs on state-sponsored actors who target the American people.”

According to court documents unsealed in Philadelphia, the FBI developed a series of commands to send to compromised routers in the United States, designed to collect evidence regarding the GRU actors’ activity, reset DNS settings (i.e., remove GRU DNS resolvers and force routers to obtain legitimate DNS resolvers from their Internet Service Providers (ISPs)), and to otherwise prevent the GRU actors from exploiting the original means of unauthorized access.

As described in court documents, the government extensively tested the operation on firmware and hardware for affected TP-Link routers. Other than stymieing the GRU’s ability to access the routers, the operation did not impact the routers’ normal functionality or collect the legitimate users’ content information.

The court-authorized steps to remediate compromised routers can be reversed by legitimate users at any time through factory resets with hardware reset buttons. Legitimate users can also reverse changes by logging into web management pages and restoring desired settings (e.g., factory default settings).

The FBI is working with ISPs to provide notice of the operation to users of SOHO routers covered by the court’s authorization. If you believe you have a compromised router, please contact your local FBI field office or file a report with the FBI’s Internet Crime Complaint Center.

Paul Davis’s Crime Beat column appears here each week. He is also a contributor to Broad + Liberty and Counterterrorism magazine. He can be reached via pauldavisoncrime.com.

Note: You can read my previous Crime Beat columns via the link below:

Paul Davis On Crime: My Philly Daily Crime Beat Columns

No comments:

Post a Comment

Paul Davis

Paul Davis is a writer who covers crime. He has written extensively about organized crime, cybercrime, street crime, white collar crime, crime fiction, crime prevention, the military, espionage and terrorism. His 'Crime Beat' column appears weekly at Philly Daily and Broad and Liberty. He is also a contributor to Reserve + National Guard Magazine, and he is a longtime contributor to Counterterrorism magazine and writes their online 'Threatcon' column. Paul Davis' crime fiction appears in American Crime Magazine. His work has also appeared in the Washington Examiner, the Washington Times, the Philadelphia Inquirer, the Philadelphia Daily News, Philadelphia Weekly and other publications. As a writer, he has attended police academy training, gone out on patrol with police officers, accompanied detectives as they worked cases, accompanied narcotics officers on drug raids, observed criminal court proceedings, visited jails and prisons, and covered street riots, mob wars and murder investigations. He has interviewed police commissioners and chiefs, FBI, DEA, HSI and other federal special agents, prosecutors, judges, public officials, WWII UDT frogmen, Navy SEALs, Army Delta operators, Israeli commandos, military intelligence officers, Scotland Yard detectives, CIA officers, former KGB officers, film and TV actors, writers and producers, journalists, novelists and true crime authors, gamblers, outlaw bikers, and Cosa Nostra organized crime bosses. Paul Davis has been a student of crime since he was a 12-year-old aspiring writer growing up in South Philadelphia. He enlisted in the U.S. Navy when he was 17 in 1970. He served aboard the aircraft carrier U.S.S. Kitty Hawk during the Vietnam War and he later served two years aboard the Navy harbor tugboat U.S.S. Saugus at the U.S. floating nuclear submarine base at Holy Loch, Scotland. He went on to do security work as a Defense Department civilian while working part-time as a freelance writer. From 1991 to 2005 he was a producer and on-air host of "Inside Government," a public affairs interview radio program that aired on Sunday mornings on WPEN AM and WMGK FM in the Philadelphia area. You can read Paul Davis' crime columns, crime fiction, book reviews and news and feature articles on this website. You can read his full bio by clicking on the above photo (by Brittany Davis-Pearson). And you can contact Paul Davis at pauldavisoncrime@aol.com.

Paul Davis On Crime

Thursday, April 23, 2026

The Russians Are Coming: My Philly Daily Crime Beat Column On The Russian GRU Unit That Is Hijacking Routers To Steal Sensitive Information

No comments:

Post a Comment

Paul Davis

Blog Archive