Counterintelligence — 2026-04-08

NSA and FBI Warn GRU Unit 26165 Compromised 18,000 Routers Across 120 Countries for Credential Harvesting

NSA and FBI issued a joint cybersecurity advisory detailing how GRU's 85th Main Special Service Center (Unit 26165/APT28/Fancy Bear/Forest Blizzard) exploited vulnerable MikroTik and TP-Link routers to build a global intelligence collection platform. At least 18,000 devices across approximately 120 countries were compromised to harvest credentials from military, government, and critical infrastructure targets. The advisory accompanied DOJ's announcement of Operation Masquerade, which disrupted the GRU's DNS hijacking network targeting North Africa, Central America, and Southeast Asia.
The NSA advisory and DOJ disruption action represent coordinated attribution-plus-disruption: naming GRU Unit 26165, publishing the CVE, and simultaneously seizing infrastructure. The 18,000 compromised routers across 120 countries demonstrate how cheap consumer hardware creates persistent collection platforms that outlast individual campaigns.
Sources: GlobalSecurity.org · Silicon Canals
Read in full briefing →