Most home routers sit in a corner, ignored, and that's exactly what Russia's military intelligence unit was counting on. The GRU group known as APT28, responsible for some of the most significant state-sponsored hacks of the past decade, spent years exploiting that neglect, working its way into thousands of home and small office routers across 23 US states and using the access to intercept traffic, steal credentials and build a shadow network of compromised devices. A joint federal advisory issued April 7 outlined the scope of the attack and the court-authorized operation that disrupted it. It also came with a clear instruction: There are five steps every router owner should take immediately.
The attack targeted small-office/home-office routers, also known as SOHO routers, and was carried out by a unit in the Russian military intelligence agency, the GRU. Government agencies are urging people to follow basic router hygiene steps, such as updating to the latest firmware and changing default login credentials. The UK's National Cyber Security Centre includes a number of TP-Link routers specifically targeted by the hackers.
While that news sounds pretty alarming, it's worth keeping in mind that the attack compromised enterprise routers specifically, so your home Wi-Fi router likely isn't at risk. That said, some of the affected routers can be used as standard home routers, so it's worth checking whether your model was exploited in the attack.
"There is a big trend of exploiting routers these days, and that goes both for the consumer and enterprise or corporate routers," Daniel Dos Santos, vice president of research at the cybersecurity company Forescout, told CNET.
What type of attack is this?
A news release from the NSA notes that the attack indiscriminately targeted a wide pool of routers, with the goal of gathering information on "military, government, and critical infrastructure."
This attack is linked to threat actors within the Russian GRU -- which go by APT28, Fancy Bear, Forest Blizzard and other names -- and has been ongoing since at least 2024, according to the FBI.
It's known as a Domain Name System hijacking operation, in which DNS requests are intercepted by changing the default network configurations on SOHO routers, allowing the actors to see a user's traffic unencrypted.
"For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale," says a Microsoft Threat Intelligence report on the attack.
Microsoft identified more than 200 organizations and 5,000 consumer devices impacted by the GRU's attack.
Which routers were affected?
The FBI's announcement refers to one router specifically, the TP-Link TL-WR841N, a Wi-Fi 4 model that was originally released in 2007. The UK's National Cyber Security Centre lists 23 TP-Link models that were targeted, but notes that it is likely not exhaustive.
Here is the list of affected devices:
- TP-Link LTE Wireless N Router MR6400
- TP-Link Wireless Dual Band Gigabit Router Archer C5
- TP-Link Wireless Dual Band Gigabit Router Archer C7
- TP-Link Wireless Dual Band Gigabit Router WDR3600
- TP-Link Wireless Dual Band Gigabit Router WDR4300
- TP-Link Wireless Dual Band Router WDR3500
- TP-Link Wireless Lite N Router WR740N
- TP-Link Wireless Lite N Router WR740N/WR741ND
- TP-Link Wireless Lite N Router WR749N
- TP-Link Wireless N 3G/4G Router MR3420
- TP-Link Wireless N Access Point WA801ND
- TP-Link Wireless N Access Point WA901ND
- TP-Link Wireless N Gigabit Router WR1043ND
- TP-Link Wireless N Gigabit Router WR1045ND
- TP-Link Wireless N Router WR840N
- TP-Link Wireless N Router WR841HP
- TP-Link Wireless N Router WR841N
- TP-Link Wireless N Router WR841N/WR841ND
- TP-Link Wireless N Router WR842N
- TP-Link Wireless N Router WR842ND
- TP-Link Wireless N Router WR845N
- TP-Link Wireless N Router WR941ND
- TP-Link Wireless N Router WR945N
A TP-Link Systems spokesperson told CNET in a statement that the affected models all reached End of Service and Life status several years ago.
"While these products are outside our standard maintenance lifecycle, TP‑Link has developed security updates for select legacy models where technically feasible," the spokesperson said.
TP-Link is urging people with these outdated routers to upgrade to a newer device if possible. You can find a list of available security patches on its security advisory page addressing the recent attack.
How to keep your router safe
The NSA referred organizations to a list of best practices for securing your home network. The most important thing you can do if you're using one of the impacted devices is to upgrade your router as soon as possible. It likely hasn't received firmware updates in years, which is like leaving the door to your network unlocked.
"The longer you carry on doing that, the greater the risk," said Rik Ferguson, vice president of security intelligence at Forescout. "The router sits in such a privileged position within any network. All of your communication, all of your traffic, has to pass through that device."
In addition to using a newer device that's still getting security updates, there are a few other steps you can take to lock down your network:
- Update your firmware regularly: Many networking devices allow you to enable automatic firmware updates in the settings. If this is an option, I'd highly recommend doing it. If it's not, you can find updates for your router by logging into its web interface or using its app.
- Reboot your router: The NSA's guidance recommends rebooting your router, smartphone and computers at least once a week. "Regular reboots help to remove implants and ensure security," the agency says.
- Change default usernames and passwords: One of the most common ways hackers gain access is by trying default, manufacturer-set login credentials. "There's a whole underground economy that underlies all of that," says Ferguson. "Basically, they just harvest credentials, either through attacks of their own, or by stockpiling them from other sources and buying them." This username and password combination is different from your Wi-Fi login, which should also be changed every six months or so. The longer and more random your password, the better.
- Disable remote management: Most regular users don't need to remotely manage their Wi-Fi router, and this is one of the primary ways threat actors can change your router's settings without your knowledge. You can typically find this option in your router's admin settings.
- Use a VPN: The FBI's announcement on the attack specifically recommends that organizations with remote workers use a VPN when accessing sensitive data. These services encrypt your traffic as it passes through a remote server, keeping it safe from hackers.
