FBI Just Kicked Russia Off Your Router

Your Edge Router Is a Nation-State Listening Post, and the FBI Just Proved It

On April 7, the Justice Department and FBI announced Operation Masquerade, a court-authorized takedown of a GRU-controlled botnet of compromised TP-Link SOHO routers that Russia's Military Unit 26165 (APT28, Fancy Bear) had been running since at least 2024. At its peak in December 2025, more than 18,000 unique IP addresses across 120 countries were talking to APT28 infrastructure. The FBI reached into the US portion of that botnet, collected forensics, and reset the DNS settings to evict Russia. The rest of the world is still cleaning up.

The tradecraft is the uncomfortable part. APT28 was not dropping custom implants or burning expensive zero-days. They were exploiting known, unpatched vulnerabilities in consumer-grade TP-Link routers, stealing admin credentials, and quietly rewriting DHCP and DNS settings. Every device behind those routers inherited the new config. When a targeted user typed outlook.office.com, the GRU-controlled resolver returned a fraudulent record pointing to a spoofed Outlook Web Access page, then sat in the middle of the TLS session. Credentials and session tokens for ministries of foreign affairs, law enforcement agencies, and cloud service providers flowed straight to Moscow.

Read that again. The attack surface was not your enterprise firewall. It was the $80 router a third-party vendor, a remote employee, or a regional office installed three years ago and never touched again. The GRU did not need to breach your perimeter because they owned the on-ramp. Your VPN concentrator, your conditional access policies, your FIDO2 tokens: all of it assumes the network path to your identity provider is honest. Operation Masquerade proves that assumption is a vulnerability.

If you run a hybrid workforce, this is your problem whether you own the hardware or not. Home office routers are unmanaged endpoints that sit between your employees and every SaaS platform you depend on. Regional sales offices, M&A targets mid-integration, OT environments with forgotten ISP gear: the blast radius is wider than most CISOs have modeled. And "we use a corporate VPN" does not save you when DNS resolution happens before the tunnel is established.

The tactical move this week is a real inventory. Pull your EDR telemetry for DNS queries resolving to unexpected IP space. Audit your conditional access sign-in logs for impossible-travel events and unfamiliar resolver behavior. If you issue stipends for home internet gear, publish an approved list and a firmware baseline, then actually enforce it. Treat remote worker routers as Tier 1 infrastructure, because that is what the GRU thinks they are.

The strategic move is harder. Most enterprise security programs have no answer for hardware their employees bought at Best Buy. That gap is now a nation-state initial access vector with four years of documented operational success. Operation Masquerade gave you breathing room. It did not close the door.

FortiClient EMS Zero-Day Exploited Before the Advisory Landed

Fortinet rushed an emergency hotfix for CVE-2026-35616, a CVSS 9.1 pre-auth API access bypass in FortiClient EMS 7.4.5 and 7.4.6 that lets an unauthenticated attacker execute code via crafted HTTP requests. watchTowr recorded exploitation attempts against its honeypots starting March 31, before Fortinet ever published its advisory. CISA added the CVE to KEV on April 6 with a federal remediation deadline of April 9. If you run FortiClient EMS, assume you were scanned and check for anomalous admin creation and outbound C2 traffic from the management server. The full fix ships with 7.4.7.

Storm-1175 Is Turning Medusa Into a Zero-Day Operation

Microsoft's threat intel team detailed a high-tempo Medusa ransomware campaign run by the affiliate it tracks as Storm-1175. The group is chaining CVE-2025-10035 and the freshly disclosed CVE-2026-23760 to breach internet-facing web assets, land persistence, and deploy Medusa within hours. The pattern is the same story every CISO has heard for two years, running faster: exploit, persist, encrypt, extort. What is different is that affiliates now treat fresh CVEs the way APTs used to treat zero-days, integrating them into playbooks within days of disclosure. Your patch SLA is a ransomware SLA now.

ChipSoft Outage Takes Down Dutch Hospital Portals

A cyberattack on ChipSoft, the dominant electronic health record vendor in the Netherlands, disrupted hospital portals across the country around April 7. Care workflows degraded, providers fell back to manual processes, and patients were turned away from non-urgent appointments. Details are still thin, but the concentration risk is not: when a single vendor powers the EHR for most hospitals in a country, one bad day at the vendor is a national healthcare incident. If you are a CIO in a regulated industry with a similar concentration, this is your tabletop exercise for next week.

That is the number of unique IP addresses across 120 countries that were beaconing to APT28 infrastructure at the botnet's December 2025 peak, according to the FBI's Operation Masquerade disclosure. Every one of those IPs was a compromised TP-Link SOHO router being used to hijack DNS and intercept credentials. The operation ran quietly for at least two years before takedown. The signal for enterprise leaders is not the raw number. It is that a nation-state ran a global credential interception campaign for 24 months using commodity routers, and most victims never saw it in their SOC dashboards because the compromise happened one hop outside the managed perimeter.

Across the DoGood network this week, home office and remote worker endpoint hardening jumped into the top 10 priority themes for the first time since Q4. More on that Wednesday.

The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.

Know a CIO who needs this? Forward it — they can subscribe here.