A Russian military intelligence unit has compromised thousands of routers in 23 states. Here’s how to make sure yours isn’t next.
Joe Supan is a senior writer for CNET covering home technology, broadband and moving. Before joining CNET, Joe led mobile coverage at MyMove and reported on broadband policy, the digital divide and privacy issues for the Allconnect broadband market. He has been featured as a guest columnist on Broadband Breakfast, and his work has been referenced by the Los Angeles Times, Forbes, National Geographic, Yahoo! Finance and more.
If you haven’t thought about your home router since the day you installed it, the FBI would like to have a word with you. Federal agencies, including the FBI and NSA, revealed on April 7 that a unit of Russia’s military intelligence directorate, the GRU group known as APT28 or Fancy Bear, has been systematically compromising home and small office routers since at least 2024, using that access to intercept credentials, authentication tokens and sensitive communications. The agency took the unusual step of remotely resetting thousands of affected U.S. devices under a court order, but officials warn that without action from individual router owners, the problem is far from resolved.
The attack targeted small office/home office routers, also known as SOHO routers, and was carried out by a unit of Russia’s military intelligence agency, the GRU. Government agencies urge people to follow basic router hygiene steps, such as updating to the latest firmware and changing default login information. The UK’s National Cyber Security Center includes a number of TP-Link routers specifically targeted by hackers.
While this news seems quite alarming, it’s worth keeping in mind that the attack specifically compromised corporate routers, so your home Wi-Fi router is probably not in danger. That said, some of the affected routers can be used as standard home routers. It is therefore useful to check whether your model was exploited during the attack.
“There’s a big trend toward exploiting routers these days, and that goes for both consumer and enterprise routers,” Daniel Dos Santos, vice president of research at cybersecurity firm Forescout, told CNET.
What type of attack is this?
An NSA press release said the attack indiscriminately targeted a wide range of routers, with the aim of gathering information on “military, government, and critical infrastructure.”
This attack is linked to threat actors within the Russian GRU – called APT28, Fancy Bear, Forest Blizzard and other names – and has been ongoing since at least 2024, according to the FBI.
This is a domain name system hijacking operation, in which DNS queries are intercepted by modifying the default network configurations on SOHO routers, allowing actors to see a user’s traffic in the clear.
“For state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale,” says a Microsoft Threat Intelligence report on the attack.
Microsoft has identified more than 200 organizations and 5,000 consumer devices affected by the GRU attack.
Which routers were affected?
The FBI announcement refers to one router in particular, the TP-Link TL-WR841N, a Wi-Fi 4 model originally released in 2007. The UK’s National Cyber Security Center lists 23 TP-Link models targeted, but notes that this list is likely not exhaustive.
Here is the list of affected devices:
- TP-Link LTE MR6400 Wireless N Router
- TP-Link Archer C5 Wireless Dual-Band Gigabit Router
- TP-Link Archer C7 Wireless Dual-Band Gigabit Router
- TP-Link WDR3600 Wireless Dual-Band Gigabit Router
- TP-Link WDR4300 Wireless Dual-Band Gigabit Router
- TP-Link WDR3500 Wireless Dual-Band Router
- TP-Link WR740N Lite N Wireless Router
- TP-Link WR740N/WR741ND Lite N Wireless Router
- TP-Link WR749N Lite N Wireless Router
- TP-Link Wireless N 3G/4G Router MR3420
- TP-Link WA801ND Wireless N Access Point
- TP-Link WA901ND Wireless N Access Point
- TP-Link WR1043ND Wireless N Gigabit Router
- TP-Link WR1045ND Wireless N Gigabit Router
- TP-Link WR840N Wireless N Router
- TP-Link WR841HP Wireless N Router
- TP-Link WR841N Wireless N Router
- TP-Link WR841N/WR841ND Wireless N Router
- TP-Link WR842N Wireless N Router
- TP-Link WR842ND Wireless N Router
- TP-Link WR845N Wireless N Router
- TP-Link WR941ND Wireless N Router
- TP-Link WR945N Wireless N Router
A TP-Link Systems spokesperson told CNET in a statement that the affected models all reached end-of-service and end-of-life status several years ago.
“While these products are outside of our standard maintenance lifecycle, TP-Link has developed security updates for some existing models where technically feasible,” the spokesperson said.
TP-Link urges people with these outdated routers to upgrade to a newer device if possible. You can find a list of available security patches on its security advisory page regarding the recent attack.
How to protect your router
The NSA has referred organizations to a list of best practices for securing your home network. The most important thing you can do if you are using one of the affected devices is to upgrade your router as soon as possible. It probably hasn’t received firmware updates in years, which is like leaving your network door unlocked.
“The longer you continue to do this, the greater the risk,” said Rik Ferguson, vice president of security intelligence at Forescout. “The router occupies a privileged position within any network. All your communications, all your traffic must go through this device.”
In addition to using a newer device that still receives security updates, there are a few other steps you can take to lock down your network:
- Update your firmware regularly: Many network devices allow you to enable automatic firmware updates in the settings. If it’s an option, I highly recommend you do it. If not, you can find updates for your router by logging into its web interface or using its app.
- Restart your router: NSA guidelines recommend restarting your router, smartphone, and computers at least once a week. “Regular reboots allow implants to be removed and ensure safety,” the agency explains.
- Change default usernames and passwords: One of the most common ways for hackers to gain access is to try the default login credentials set by the manufacturer. “There’s a whole underground economy that’s driving all of this,” Ferguson says. “Basically, they just harvest credentials, either through their own attacks or by storing them from other sources and buying them.” This username and password combination is different from your Wi-Fi connection, which also needs to be changed every six months or so. The longer and more random your password is, the better.
- Disable remote management: Most regular users don’t need to remotely manage their Wi-Fi router, and this is one of the main ways bad actors can change your router settings without your knowledge. You can usually find this option in your router administration settings.
- Use a VPN: FBI announcement on attack specifically recommends organizations with remote workers use a VPN when accessing sensitive data. These services encrypt your traffic as it passes through a remote server, protecting it from hackers.
Internet providers by city
Internet providers and services
Useful Internet Resources
Joe Supan is a senior writer for CNET covering home technology, broadband and moving. Before joining CNET, Joe led mobile coverage at MyMove and reported on broadband policy, the digital divide and privacy issues for the Allconnect broadband market. He has been featured as a guest columnist on Broadband Breakfast, and his work has been referenced by the Los Angeles Times, Forbes, National Geographic, Yahoo! Finance and more. See full bio