The recent FBI-led operation to knock Russian government hackers off routers sought to topple an especially insidious and threateningly contagious cyberespionage campaign, top bureau cyber official Brett Leatherman told CyberScoop.

Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide. 

The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.

“What’s unique to me in this one is that when you change the internet settings in a router like they did, it propagates to all the devices in your house,” Leatherman, assistant director of the FBI’s cyber division, said. “All those devices now, once they’re connected to that Wi-Fi, are getting the malicious IP addresses that they are then routing their traffic through, and it gives the Russian GRU tremendous access to the content offered through a router itself.”

“The difficulty in an attack like this is that it’s virtually invisible to the end users,” he said. “Actors were not deploying malware like we often see. And so when you think about endpoint detection on your computer or something like that, it’s not seeing that activity because they don’t have to. They’re using the tools on the router itself to capture your internet traffic and extend it  throughout the house, and so traditional tools that detect that activity [are] just not there.”

The disruption operation is in line with the cyber strategy the Trump administration published last month, with its emphasis on going on offense against malicious hackers and protecting critical infrastructure, Leatherman said.

The FBI understands its role in implementing that strategy, he said, and worked with the Office of the National Cyber Director and other agencies in developing it. The White House has kept the public and Capitol Hill in the dark about strategy implementation, however.

“We’ve got a long track record of leveraging unique authorities and capabilities to counter these actors, to impose costs, and through the 56 field offices to really defend critical infrastructure,” Leatherman said. “That’s part of our DNA, really. And so we want to make sure that we continue to align that in the most scalable and agile way we can, to align with the priorities of the strategy itself.”

Leatherman traced how Operation Masquerade — the success of which he credited to the FBI’s Boston offices and partnerships with the private sector and foreign governments — fits into a series of disruptions aimed at Russian government hackers dating back to 2018.

That’s when the bureau took on the VPNFilter botnet by seizing a domain used to communicate with infected routers. In 2022, the FBI took on the Cyclops Blink botnet, and in 2024, Operation Dying Ember went after another botnet.

“”Over the course of those four operations, while the adversary continued to evolve in their tradecraft, so did we,” Leatherman said. “We moved from just sinkholing domains to actually taking steps that block them at the door of these routers, pulled any capability off of those routers so they were no longer able to collect the sensitive information, and then prohibited them from getting back in.”

The post Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ appeared first on CyberScoop.

National Cyber Director Sean Cairncross said Tuesday that the Trump administration isn’t aspiring to enlist the private sector to conduct offensive cyber operations, but instead to help the government by keeping them abreast of the threats they’re facing.

The recently-released national cyber strategy talks about incentivizing companies to disrupt the networks of adversaries.

“I’m not talking about the private sector, industry or companies engaging in a cyber offensive campaign,” Cairncross said at an event hosted by Auburn University’s McCrary Institute. “What I’m talking about are the technical capabilities, the ability of our private sector to illuminate the battlefield from what they’re seeing, to inform and share information so that the USG [U.S. government] can respond to get ahead of things.”

The idea of enabling U.S. companies to undertake disruptive or offensive campaigns against malicious hackers, or to at least aid in U.S. government offensive operations, has regained currency in some GOP circles in recent years. Some companies have shown an interest in doing so, especially if laws are changed to make it more viable.

That trend coincides with growing calls from Trump administration officials — and now the release of the cybersecurity strategy — to go on the offense against hackers, although Cairncross emphasized again that the strategy pillar to “shape adversary behavior” isn’t just about conducting cyber offensive campaigns, but to use other government mechanisms to put pressure on hackers, be they legal or diplomatic.

The government can go about shaping the “risk calculus” “in a more agile fashion” with private sector help, he said.

There’s an enormous amount of capability on the private sector side, and now we have a spear from the United States government… we are looking for real partnership,” Cairncross said.

One way the U.S. government has sought to bring the fight to cyber adversaries is the FBI’s “joint sequenced operations,” used to degrade their capabilities. Speaking at the same event, the head of the bureau’s cyber division said the private sector was key to those operations as well.

“Every one of the joint sequenced operations that the FBI conducts to remove that capacity and capability that I talked about — from the Russians, from the Chinese, from the Iranians and others — happens because a victim came forward and engaged the FBI,” said Brett Leatherman.

“One takeaway for everybody here is ‘What is your game plan in the event of a breach to engage your local FBI field office?’” he asked. “I would proffer there’s very little liability in doing so, and we’re happy to have conversations with your outside or inside counsel, but there’s a tremendous amount to be gained by doing that.”

The post Trump administration isn’t pushing companies to conduct cyber offense, national cyber director says appeared first on CyberScoop.