The recent FBI-led operation to knock Russian government hackers off routers sought to topple an especially insidious and threateningly contagious cyberespionage campaign, top bureau cyber official Brett Leatherman told CyberScoop.

Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide. 

The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.

“What’s unique to me in this one is that when you change the internet settings in a router like they did, it propagates to all the devices in your house,” Leatherman, assistant director of the FBI’s cyber division, said. “All those devices now, once they’re connected to that Wi-Fi, are getting the malicious IP addresses that they are then routing their traffic through, and it gives the Russian GRU tremendous access to the content offered through a router itself.”

“The difficulty in an attack like this is that it’s virtually invisible to the end users,” he said. “Actors were not deploying malware like we often see. And so when you think about endpoint detection on your computer or something like that, it’s not seeing that activity because they don’t have to. They’re using the tools on the router itself to capture your internet traffic and extend it  throughout the house, and so traditional tools that detect that activity [are] just not there.”

The disruption operation is in line with the cyber strategy the Trump administration published last month, with its emphasis on going on offense against malicious hackers and protecting critical infrastructure, Leatherman said.

The FBI understands its role in implementing that strategy, he said, and worked with the Office of the National Cyber Director and other agencies in developing it. The White House has kept the public and Capitol Hill in the dark about strategy implementation, however.

“We’ve got a long track record of leveraging unique authorities and capabilities to counter these actors, to impose costs, and through the 56 field offices to really defend critical infrastructure,” Leatherman said. “That’s part of our DNA, really. And so we want to make sure that we continue to align that in the most scalable and agile way we can, to align with the priorities of the strategy itself.”

Leatherman traced how Operation Masquerade — the success of which he credited to the FBI’s Boston offices and partnerships with the private sector and foreign governments — fits into a series of disruptions aimed at Russian government hackers dating back to 2018.

That’s when the bureau took on the VPNFilter botnet by seizing a domain used to communicate with infected routers. In 2022, the FBI took on the Cyclops Blink botnet, and in 2024, Operation Dying Ember went after another botnet.

“”Over the course of those four operations, while the adversary continued to evolve in their tradecraft, so did we,” Leatherman said. “We moved from just sinkholing domains to actually taking steps that block them at the door of these routers, pulled any capability off of those routers so they were no longer able to collect the sensitive information, and then prohibited them from getting back in.”

The post Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ appeared first on CyberScoop.

Russian state-sponsored attackers compromised more than 18,000 routers spread across more than 120 countries to gain deeper access to sensitive networks for a large-scale espionage campaign before it was recently neutralized, researchers and authorities said Tuesday.

Forest Blizzard, also known as APT28 and Fancy Bear, exploited known vulnerabilities to steal credentials for thousands of TP-Link routers globally. The threat group, which is attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, hijacked domain name system settings and stole additional credentials and tokens via redirected traffic, the Justice Department said.

The threat group established an expansive espionage network by intruding systems of more than 200 organizations, impacting at least 5,000 consumer devices, Microsoft Threat Intelligence said in a report. 

Operation Masquerade, a collaborative takedown operation led by the FBI, aided by federal prosecutors, the National Security Division’s National Security Cyber section, Lumen’s Black Lotus Labs and Microsoft Threat Intelligence, involved a series of commands designed to reset DNS settings and prevent the threat group from further exploiting its initial means of access. 

“GRU actors compromised routers in the U.S. and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement. “The FBI conducted a court-authorized operation to harden compromised routers across the United States.”

Forest Blizzard’s widespread campaign involved adversary-in-the-middle attacks against domains mimicking legitimate services, including Microsoft Outlook Web Access. This allowed attackers to intercept passwords, OAuth tokens, credentials for Microsoft accounts, and other services and cloud-hosted content. 

Microsoft insists company-owned assets or services were not compromised as part of the campaign.

The threat group targeted network edge devices, including TP-Link and MicroTik routers, opportunistically before it identified sensitive targets of intelligence interest to the Russian government, including people in the military, government and critical infrastructure sectors. 

Victims, according to researchers, include government agencies and organizations in the IT, telecom and energy sectors. Lumen identified other victims associated with Afghanistan’s government and others linked to foreign affairs and national law enforcement agencies in North Africa, Central America and Southeast Asia. An unnamed European country’s national identity platform was also impacted, the company said.

Lumen did not find evidence of any compromised U.S. government agencies as part of this campaign, but warned that the activity poses a grave national security threat.

While the full scope of Forest Blizzard’s accomplishments remain under investigation, researchers are confident the bleeding of sensitive information has stopped. 

“The campaign has ceased,” Danny Adamitis, distinguished engineer at Black Lotus Labs, told CyberScoop. “We have observed a gradual decline in communications associated with this infrastructure over the past several weeks.”

Lumen said it observed widespread router exploitation and DNS redirection beginning in August, the day after the United Kingdom’s National Cyber Security Centre published a malware analysis report about a tool used to steal Microsoft Office credentials. The U.K.’s NCSC on Tuesday published details about APT28’s DNS hijacking campaign, including indicators of compromise.

The Justice Department and FBI, acting on a court order, remediated compromised routers in the United States after collecting evidence on Forest Blizzard’s activity. The FBI said Russia’s GRU weaponized routers owned by Americans in more than 23 states to steal sensitive government, military and critical infrastructure information.

The post Feds quash widespread Russia-backed espionage network spanning 18,000 devices appeared first on CyberScoop.

Attackers associated with Russia’s Main Intelligence Directorate (GRU) have targeted Western-based critical infrastructure with a special focus on the energy sector as part of an ongoing campaign dating back to 2021, Amazon Threat Intelligence said in a report Monday. 

The threat group simplified operations earlier this year by shifting away from vulnerability exploitation to focus on misconfigured network edge devices hosted on Amazon Web Services as the primary initial access vector, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post. 

Researchers said malicious infrastructure used by the attackers overlaps with operations linked to Sandworm, also known as APT44 and Seashell Blizzard, a detail that gives them confidence the activity is associated with Russia’s GRU. 

Amazon did not say how many attacks it’s attributed to the campaign, nor how the pace of activity has changed since the first wave of attacks occurred in 2021. The company said it has notified customers affected by the intrusions, remediated compromised EC2 instances and shared intelligence with partners and affected vendors to aid further investigations.

The Russia state-sponsored threat group has continued to target multiple Western-based organizations in the energy sector including electric utilities, energy providers and managed security service providers specializing in the industry, according to Amazon. 

Researchers said the threat group has also targeted collaboration platforms, source code repositories, organizations with cloud-based network infrastructure, critical infrastructure providers in North America and Europe, and telecom providers across multiple regions. 

Attacks typically begin with a compromised customer network edge device hosted on AWS, followed by attempts to capture data traversing the network in a bid to steal credentials and reuse those credentials against victim organizations’ other services and infrastructure to maintain access, according to Amazon.

Moses insists the compromise of network edge devices hosted on AWS is not due to a weakness in its  infrastructure, but rather improper device setup from customers. Attackers associated with Russia’s GRU have targeted enterprise routers and routing infrastructure, virtual private networks for large organizations, remote-access gateways and network-management appliances. 

The campaign initially relied on vulnerability exploitation from 2021 to 2024, including CVE-2022-26318 affecting WatchGuard, CVE-2021-26084 and CVE-2023-22518 affecting Confluence and CVE-2023-27532 affecting Veeam, researchers said.

Yet, targeting shifted to misconfigured network edge devices this year, which allowed attackers to achieve the same strategic goals at a lower cost. 

“While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” Moses said in the blog post. “The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”

Sandworm is one of the most notorious state-sponsored threat groups of the past decade. The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.

The post Amazon warns that Russia’s Sandworm has shifted its tactics appeared first on CyberScoop.

The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.

Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 

Dubranova pleaded not guilty in both cases.

The indictments describe operations that evolved from distributed denial of service attacks to more destructive intrusions into industrial control systems. CARR, according to prosecutors, was founded and funded by Russia’s Main Directorate of the General Staff of the Armed Forces, known as the GRU. NoName057(16) emerged from the Center for the Study and Network Monitoring of the Youth Environment, an information technology organization established by presidential order in Russia in October 2018.

Brett Leatherman, the FBI’s assistant director in its cyber division, said the charges against Dubranova are the first time the U.S. has charged someone under the law designed to protect water systems.

“Let me emphasize, the FBI doesn’t just track cyber adversaries. We call them out and bring them to justice,” Leatherman said on a press call Wednesday. “That’s what today demonstrates.”

Both groups claimed credit for hundreds of attacks beginning in 2022, following the escalation of the Russia-Ukraine conflict. CARR maintained a Telegram channel with more than 75,000 followers and at times had over 100 members, including juveniles, according to the indictment. The group received financial support from a figure using the moniker “Cyber_1ce_Killer,” which federal authorities associate with at least one GRU officer.

The attacks attributed to CARR resulted in tangible damage to U.S. infrastructure. Public drinking water systems in several states experienced damage to control systems that caused hundreds of thousands of gallons of water to spill. In November 2024, an attack on a meat processing facility in Los Angeles spoiled thousands of pounds of meat and triggered an ammonia leak that forced an evacuation. The group also targeted U.S. election infrastructure and websites for nuclear regulatory entities.

NoName057(16) operated differently, developing proprietary software called DDoSia that recruited volunteers worldwide to participate in attacks. The group published daily leaderboards on Telegram ranking participants and paid top volunteers in cryptocurrency. Between March 2022 and June 2025, the group conducted more than 1,500 attacks on government agencies, financial institutions, railways and ports in Ukraine and NATO countries including Estonia, Finland, Lithuania, Norway, Poland and Sweden.

The group targeted Dutch infrastructure during the June 2025 NATO Summit in The Hague. Volunteers who downloaded DDoSia were required to read a manifesto describing pro-Russian geopolitical motivations before participating in attacks on targets selected by administrators.

Federal investigators from multiple agencies, including the FBI, CISA, NSA, Department of Energy and EPA, issued a joint advisory warning that pro-Russia hacktivist groups target minimally secured internet-facing connections to infiltrate operational technology control devices. The EPA emphasized the threat to public water systems, noting the defendant’s actions put communities and drinking water resources at risk.

Chris Butera, CISA’s acting deputy executive assistant director for cybersecurity, said Wednesday that organizations responsible for operating critical infrastructure should understand these groups are “actively engaging in opportunistic, low sophistication, malicious cyber activity across multiple sectors to gain notoriety and create mayhem.”

“The single most important thing people can do to protect themselves is to reduce the number of operational technology devices exposed to the public-facing internet,” Butera said. 

Dubranova faces one count of conspiracy to damage protected computers in the NoName case, carrying a maximum five-year sentence. The CARR indictment charges her with conspiracy to damage protected computers and tamper with public water systems, damaging protected computers, access device fraud and aggravated identity theft. If convicted on all CARR charges, she faces up to 27 years in federal prison.

The State Department announced rewards of up to $2 million for information on individuals associated with CARR and up to $10 million for information related to NoName057(16). Two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, were previously sanctioned by the Treasury Department in July 2024. Pankratova allegedly served as administrator of CARR, while Degtyarenko is described as a primary hacker who accessed a U.S. energy company’s supervisory control and data acquisition system.

The investigations are part of Operation Red Circus, an FBI initiative to disrupt Russian state-sponsored cyber threats to U.S. critical infrastructure. By late 2024, prosecutors say CARR administrators grew dissatisfied with GRU support and created a new group called Z-Pentest that employs similar tactics.

Trials are scheduled for Feb. 3, 2026, in the NoName matter and April 7, 2026, in the CARR case.

The post US charges hacker tied to Russian groups that targeted water systems and meat plants appeared first on CyberScoop.