FBI and Romania's SRI Dismantle Global GRU Cyber Espionage Network

The FBI, together with Romania's SRI and intelligence partners from 14 other countries, dismantled a prolonged Russian military cyber espionage network on April 8, 2026, in an operation named "Operation Masquerade." The campaign was run by GRU Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard, Sofacy Group, Pawn Storm, and Sednit, according to statements from the U.S. Department of Justice and the FBI. The unit exploited vulnerable SOHO routers, specifically TP-Link devices, to intercept and steal sensitive data from military, government, and critical infrastructure targets across multiple Western states. Romanian President Nicușor Dan confirmed the SRI's participation and characterized the operation as further evidence of Russia's ongoing hybrid war against the West. The international coalition issuing the joint warning included partners from Canada, the Czech Republic, Denmark, Estonia, Finland, Germany, Italy, Latvia, Lithuania, Norway, Poland, Portugal, Romania, Slovakia, and Ukraine, alongside the U.S. National Security Agency.

Hackers redirected encrypted traffic through hijacked routers The GRU actors exploited a specific vulnerability, CVE-2023-50224, in TP-Link routers to gain access and then altered the devices' DHCP and DNS settings, inserting DNS resolution servers under their own control. Once a router was compromised, all connected devices — including laptops and mobile phones — inherited the modified settings without the user's knowledge. The infrastructure controlled by the attackers resolved and captured queries for all domain names passing through the device. The GRU then provided fraudulent DNS responses for specific domains and services, including Microsoft Outlook Web Access, enabling so-called adversary-in-the-middle attacks against encrypted traffic. Through this method, Russian hackers collected passwords, authentication tokens, emails, and web browsing data normally protected by SSL and TLS encryption. The SRI stated that "the GRU compromised a wide range of global entities, including those in Romania, and filtered the victims, specifically targeting information from the military, government, and critical infrastructure sectors." The operation had been active at least since 2024, according to the FBI.

Operation Masquerade — Key Events: — ; — ; —

Romanian president calls for stronger national cybersecurity Romanian President Nicușor Dan, who took office in 2025 after previously serving as Mayor of Bucharest, responded to the FBI announcement in a statement posted on his personal Facebook page on Wednesday. He confirmed that the SRI had participated in the multinational operation and framed the cyberattack as part of a broader pattern of Russian aggression against Western nations. „Russia continues the hybrid war against Western countries and only someone of bad faith does not see this. Romania must improve its cyber security and continue to collaborate with Western partners.” — Nicușor Dan via G4Media The president's statement also described the dismantled network as targeting "sensitive infrastructure in several Western states," with the GRU collecting "military, governmental, and critical infrastructure information." The SRI's participation was channeled through its National Cyberint Center, according to Digi24. Dan's remarks came as Romania has been deepening its integration into Western security structures, and the operation underscores the country's active role in collective cyber defense efforts within the NATO framework.

APT28, also known as Fancy Bear, has been linked by Western intelligence agencies to the GRU's 85th Main Special Service Center (Unit 26165) for years. The group has been associated with a series of high-profile intrusions targeting government, military, and political organizations across Europe and North America. DNS hijacking as a technique allows attackers to silently redirect users to malicious infrastructure without triggering standard security alerts, making it particularly effective against targets that rely on encrypted communications.

Fifteen-country coalition warns the public on router vulnerabilities Beyond dismantling the network, the FBI and its partners issued a joint public warning urging network administrators and device owners to take immediate remedial steps to reduce the attack surface of edge network devices. The joint advisory listed all 15 participating nations, spanning NATO's eastern and northern flanks, reflecting the geographic breadth of the GRU's targeting. 15 (countries) — nations participating in Operation Masquerade coalition Authorities specifically recommended protective measures for router users, though the detailed technical guidance was published separately by the relevant agencies. The operation's name, "Operation Masquerade," was confirmed in the U.S. Department of Justice statement, according to G4Media, which first reported the SRI's involvement. The disclosure adds to a growing body of documented Russian cyber operations against Western infrastructure at a time when Russia's broader conflict with Ukraine and hybrid activities targeting NATO member states remain active concerns for Western governments.