Security Agencies Warn,
Russian GRU Hackers Hijacked Vulnerable Routers Across 23 US States
News Desk
04 June 2026, 14:07
US authorities say a long-running cyber operation linked to Russia's military intelligence agency exploited vulnerable routers across 23 US states, turning them into infrastructure for espionage and credential theft.
The campaign has been attributed to the GRU-linked hacking group known as APT28, also called Fancy Bear and Forest Blizzard. According to the FBI, the operation has been active since at least 2024 and targeted small-office and home-office (SOHO) routers that had outdated firmware or default login credentials.
Federal agents disrupted the operation in April under a court order, but officials say users must still secure or replace vulnerable devices themselves.
Key Takeaways:
-
US authorities linked the operation to Russia's GRU-linked group APT28 (Fancy Bear/Forest Blizzard).
-
Attackers exploited outdated firmware and default passwords on SOHO routers.
-
DNS hijacking let the attackers redirect traffic and potentially harvest credentials.
-
Many targeted TP-Link models are end-of-life and no longer receive regular security updates.
-
Users should update firmware, change default credentials, disable remote management, reboot devices regularly, and replace unsupported routers.
How the Attack Worked
The attackers reportedly carried out a Domain Name System (DNS) hijacking operation. By changing router configuration settings, they were able to redirect internet traffic through infrastructure under their control and potentially capture unencrypted data.
A report from Microsoft said the campaign provided the attackers with persistent visibility into network traffic and affected more than 200 organizations and roughly 5,000 consumer devices.
The NSA said the operation was aimed at gathering intelligence on military, government, and critical infrastructure targets.
Which Routers Were Affected?
The FBI specifically identified the TP-Link TL-WR841N, a router model first released in 2007. The UK's National Cyber Security Centre also published a broader list of targeted TP-Link devices, including multiple Archer, WR, WDR, and MR series models.
According to TP-Link, the affected products had already reached end-of-service or end-of-life status several years ago. The company said some security updates have been developed for select legacy models where technically possible, but it recommends upgrading to newer hardware that still receives support.
What Users Should Do
Security agencies recommend several basic but important steps to reduce risk.
Router Security Checklist
-
Replace unsupported routers: If you're using one of the affected end-of-life models, upgrading to a newer router is the safest option. Older devices may no longer receive security patches.
-
Update firmware: Enable automatic firmware updates if your router supports them, or check manually through the router's web interface or mobile app.
-
Reboot devices regularly: The NSA recommends rebooting routers, computers, and smartphones at least weekly to help remove temporary malicious implants and refresh connections.
-
Change default administrator credentials: Default usernames and passwords are a common entry point for attackers. Use a strong, unique password for the router's admin account and update your Wi‑Fi password periodically.
-
Disable remote management: Most home users do not need remote access to the router's administration panel. Turning this feature off reduces exposure to internet-based attacks.
-
Use a VPN for sensitive work: For remote workers handling sensitive data, agencies recommend using a trusted VPN service to encrypt traffic.
Why This Matters
Routers sit at the center of a network, meaning nearly all internet traffic passes through them. If an attacker gains control of a router, they can potentially monitor traffic, redirect users to malicious sites, or collect credentials.
Cybersecurity researchers say attacks on networking equipment are becoming increasingly common because routers often remain unpatched for years after purchase.
For most users in Bangladesh and elsewhere, the immediate risk is likely limited to older, unsupported devices. Still, the incident highlights the importance of treating home networking equipment as security-critical infrastructure, not just a plug-and-play appliance.
