Key Takeaways
- The FBI and NSA revealed that Russian military intelligence (GRU) unit APT28/Fancy Bear has been compromising home and small‑office routers since at least 2024.
- The attackers use DNS hijacking—altering router settings to redirect traffic—to steal credentials, authentication tokens and other sensitive data.
- More than 200 organizations and roughly 5,000 consumer devices have been impacted, with a focus on military, government and critical‑infrastructure targets.
- A specific list of TP‑Link models (including the widely‑used TL‑WR841N) was identified; all are end‑of‑life devices that no longer receive regular updates.
- TP‑Link has issued security patches for select legacy models and urges owners to upgrade to newer, supported hardware.
- Basic router hygiene—firmware updates, changing default credentials, disabling remote management, weekly reboots and VPN use—can greatly reduce risk.
- Experts warn that router exploitation is a growing trend affecting both consumer and enterprise networks, making proactive maintenance essential.
Overview of the Threat
Federal agencies, including the FBI and NSA, disclosed on April 7 that a unit of Russia’s military intelligence directorate, the GRU group known as APT28 or Fancy Bear, has been systematically compromising home and small‑office (SOHO) routers since at least 2024. The intrusion was uncovered through monitoring of malicious DNS traffic and led to an unusual court‑ordered remote reset of thousands of affected U.S. devices. Officials stressed that, while the mass reset mitigated immediate damage, the underlying vulnerability remains unless individual owners take remedial action.
Nature of the Attack
The intrusion is classified as a Domain Name System (DNS) hijacking operation. By gaining access to a router’s administrative interface, the attackers changed the device’s DNS settings, causing all DNS queries from connected devices to be routed through malicious servers under the GRU’s control. This enables the threat actors to view unencrypted traffic, harvest login credentials, authentication tokens and other sensitive communications without triggering traditional endpoint defenses. As Microsoft’s Threat Intelligence report noted, DNS hijacking provides nation‑state actors with persistent, passive visibility at scale.
Scope of Impact
According to the NSA and FBI, the campaign has affected more than 200 organizations and approximately 5,000 consumer devices worldwide. The primary targets include military installations, government agencies and critical‑infrastructure sectors, though the indiscriminate nature of the DNS hijack means any user of an vulnerable router could have their traffic inspected. The broad reach underscores the strategic value the GRU places on router‑based footholds for espionage and potential future disruptive operations.
Specific Router Models Affected
The FBI’s announcement highlighted the TP‑Link TL‑WR841N, a Wi‑Fi 4 router released in 2007, as a representative example. The United Kingdom’s National Cyber Security Centre (NCSC) expanded the list to 23 TP‑Link models that were observed in the attack, noting that the inventory is likely not exhaustive. Affected devices include various LTE, dual‑band, gigabit and lite‑N routers such as the MR6400, Archer C5, Archer C7, WDR3600, WDR4300, WDR3500, WR740N series, MR3420, WA801ND, WA901ND, WR1043ND, WR1045ND, WR840N, WR841HP, WR841N, WR841N/WR841ND, WR842N, WR842ND, WR845N, WR941ND and WR945NA. All of these models have reached End‑of‑Service and End‑of‑Life status, meaning they no longer receive routine firmware patches from the vendor.
Vendor Response and Mitigation
A TP‑Link spokesperson told CNET that, although the impacted devices are outside the standard maintenance lifecycle, the company has developed security updates for select legacy models where technically feasible. These patches are available on TP‑Link’s security advisory page addressing the recent attack. The vendor strongly encourages owners of the listed routers to upgrade to newer, supported hardware if possible, as continuing to run outdated firmware leaves the device—and the entire network—exposed to known exploits.
Recommended Protective Measures
The NSA and FBI advise a series of baseline hygiene steps to secure home and SOHO networks:
- Update firmware regularly – enable automatic updates if the router supports them; otherwise manually check the vendor’s website or the router’s admin interface.
- Reboot devices weekly – regular power cycles can remove malicious implants and restore clean state.
- Change default usernames and passwords – factory credentials are widely known and abused; use long, random passwords for both router admin access and Wi‑Fi SSID.
- Disable remote management – unless explicitly needed, turn off WAN‑side admin access to prevent attackers from altering settings without local knowledge.
- Employ a VPN – especially for remote workers, a virtual private network encrypts traffic between the device and the corporate network, thwarting DNS‑based interception.
These practices collectively reduce the attack surface and make it far harder for threat actors to maintain persistence.
Broader Context and Expert Insight
Cybersecurity analysts note a rising trend of router exploitation that spans both consumer and enterprise environments. Daniel Dos Santos, vice president of research at Forescout, told CNET that attackers increasingly target routers because they sit at a privileged point in the network, seeing all traffic that passes through. Rik Ferguson, also of Forescout, warned that the longer a device runs outdated firmware, the greater the risk, likening it to leaving the front door of a house unlocked. The consensus is that proactive maintenance—not merely reacting to alerts—is essential to defend against nation‑state and criminal campaigns that abuse inexpensive, widely deployed hardware.
Conclusion and Call to Action
While the FBI’s remote reset operation halted the immediate DNS hijacking activity, the underlying vulnerability persists for anyone still using the listed TP‑Link models or comparable unpatched routers. The attack demonstrates how obsolete networking gear can become a conduit for state‑level espionage, jeopardizing personal data, corporate secrets and national‑security interests. Owners of affected devices should immediately consult TP‑Link’s security advisory, apply any available patches, and consider replacing the hardware with a current, supported model. By adopting the recommended firmware update, credential, reboot, remote‑management and VPN practices, users can significantly harden their home networks and contribute to broader cyber‑resilience against evolving threats.