DOJ Disrupts Russian GRU Cybercrime Network Exploiting Router Vulnerabilities

The US Department of Justice (DOJ) has intensified its response to state-backed cybercrime with a court-authorised operation targeting a DNS hijacking network linked to Russia’s GRU. Announced on 7 April 2026, the action focused on dismantling infrastructure used by APT28, a well-known cyber espionage group, which had compromised thousands of routers to conduct large-scale credential harvesting and surveillance activity.

The operation highlights a critical evolution in cybercrime tactics, where threat actors increasingly exploit widely used consumer and business hardware to build covert attack infrastructure. In this case, compromised TP-Link routers were used to redirect Domain Name System traffic through malicious servers, enabling interception of sensitive data and facilitating actor-in-the-middle attacks. By mimicking trusted platforms such as Microsoft Outlook Web Access, attackers were able to extract login credentials, authentication tokens and communications data at scale.

From a cybercrime risk perspective, this development reinforces the growing convergence between traditional cybercrime and state-sponsored operations. Techniques such as DNS hijacking, credential theft and network exploitation are no longer confined to financially motivated actors but are now central to geopolitical intelligence gathering. This blurring of lines increases both the frequency and sophistication of attacks facing organisations across sectors.

The DOJ’s intervention also signals a more proactive enforcement posture. Rather than relying solely on indictments or sanctions, authorities executed a technical disruption by remotely issuing commands to affected devices in the United States. This allowed investigators to remove malicious configurations, restore legitimate DNS settings and prevent continued unauthorised access, all under judicial oversight. Such actions reflect a broader shift towards active defence strategies in combating cybercrime networks.

For organisations, the incident underscores the importance of securing network infrastructure as part of a comprehensive cybercrime defence strategy. Vulnerabilities in routers and edge devices represent a persistent entry point for attackers, particularly where outdated firmware, weak authentication controls or unsupported hardware remain in use. Effective mitigation requires routine patching, verification of DNS configurations and strict control over remote management features.

More broadly, the case demonstrates how cybercrime has become embedded within national security threats. The use of everyday devices to support espionage campaigns illustrates the scale at which attackers can operate while remaining difficult to detect. As regulatory scrutiny and enforcement activity increase, firms will be expected to demonstrate robust cyber resilience frameworks that address both enterprise systems and peripheral network components.

This enforcement action serves as a clear signal that cybercrime is no longer solely a financial or technical issue but a strategic risk requiring coordinated legal, operational and technological responses.

Read the press release here.