FBI eyes more court-authorized operations inside compromised private infrastructure

The FBI expects to conduct more court-authorized cyber operations to remove foreign hackers’ access to privately owned routers and edge devices, a senior bureau official said, underscoring how adversaries’ use of everyday infrastructure is pushing law enforcement into technically complex and legally sensitive terrain.

Assistant Director of the Cyber Division Brett Leatherman said on the McCrary Institute’s Cyber Focus podcast that court-authorized actions such as Operation Masquerade, which evicted Russian GRU actors from compromised routers, will remain an important part of the bureau’s cyber response model.

“I can guarantee you will see more of those because it has real impact for victims,” Leatherman told host Frank Cilluffo.

The comments point to a central tension in modern cyber defense: foreign intelligence services and criminal actors often operate through devices they do not own. In Operation Masquerade, Leatherman said, Russian military intelligence had co-opted routers globally, including in the United States, changed DNS settings and routed internet traffic from homes and offices through GRU-controlled infrastructure. That access, he said, allowed actors not only to collect traffic but also to use trusted U.S. IP space to pivot toward critical infrastructure, government agencies, law enforcement, hospitals and other targets.

The FBI’s Boston field office developed a capability that, through a court-authorized legal process, allowed the bureau to “evict the GRU actors from those routers and then secure those routers from reinfection,” Leatherman said.

He described Masquerade as the fourth court-authorized technical operation since 2018 against the Russian GRU involving end-of-life routers and edge devices.

“So it just demonstrates that they are persistent in what they do,” Leatherman said. “But our persistence is there as well.”

The operation also reflects a broader challenge facing law enforcement. Many cyber actors operate from jurisdictions where arrest and extradition are unlikely, forcing agencies to find other ways to disrupt malicious activity and reduce harm to victims. Leatherman said that reality has pushed the FBI to expand its cyber deterrence strategy beyond arrests, indictments and convictions. “Where they’re not touchable, their infrastructure is touchable, their money is touchable, their tools are touchable,” he said.

That approach, he argued, can bring relief to victims even when the underlying threat actors remain beyond the reach of U.S. courts. “We may never get a GRU actor in U.S. jail for conducting that operation, but victims are feeling relief,” Leatherman said. “And the nation’s more secure because of it.”

Still, Leatherman said, the message to foreign cyber actors is that distance and time do not erase accountability. “We don’t forget, we have a long memory and we’re going to hold you accountable,” he said.

You can find the full conversation and other Cyber Focus episodes wherever you get podcasts or at McCraryInstitute.com