SRI worked alongside the international community to put a stop to the cyber-attacks attributed to the GRU

April 08, 2026

The Romanian Intelligence Service, through the Cyberint National Center, participated alongside the international intelligence community in Operation Masquerade, which succeeded in disrupting an attack infrastructure made up of communication devices (routers), used by the APT28/ FANCY BEAR Russian cyber-actor, connected to GRU.

Through the attacking network, the cyber-actor collected passwords, authentication tokens and sensitive data, including e-mails and internet search history, information that is normally protected by secure socket layer (SSL) and transport layer security (TLS) protocols. In this way, the GRU compromised a wide range of global entities, including in Romania, targeting in particular critical infrastructure and intelligence in the military and government fields.

The cyber-actor's modus operandi highlights the need for protection measures to be taken by all users of SOHO (small-office home-office equipment) devices, such as:

• replacement of End-of-Life and End-of-Support devices for which manufacturers no longer issue updates;
• making firmware updates;
• verification of the authenticity of the connections made by the network devices;
• review of firewall rules to limit exposure of unauthorized remote connections.

The disruption operation has affected the cyber-operations currently being carried out by APT28 through the operation of router equipment and significantly limits the attacker's capabilities to conduct future cyber-attacks using this attack infrastructure.