Russian hackers tied to Russia’s military intelligence agency targeted home and small-office routers in 23 states in a cyberattack that the FBI said had been under way since at least 2024. The bureau said it remotely reset thousands of compromised routers after a court-authorized operation that disrupted the campaign.
The attack hit small-office and home-office routers, or SOHO routers, and relied on a Domain Name System hijacking operation that changed default network settings so DNS requests could be intercepted. Federal agencies are now urging people to install the latest firmware and change default login credentials, steps that can block the kind of access the hackers used.
The FBI’s announcement centered on the TP-Link TL-WR841N, a Wi-Fi 4 router first released in 2007, as part of a wider push against a GRU-linked unit known as APT28. Microsoft said the operation affected more than 200 organizations and 5,000 consumer devices, underscoring how a campaign aimed at inexpensive routers can spill far beyond the homes and small offices where the devices sit.
The broader pattern fits a familiar shift in cyberespionage. Daniel Dos Santos said there is a big trend of exploiting routers these days, and that it goes both for consumer and enterprise or corporate routers. Compromised routers can let attackers intercept traffic, steal credentials and build a shadow network of infected devices that is harder to spot than a breach inside one company’s network.
That shadow network is what made the case especially urgent for U.S. authorities on April 7, when a joint federal advisory laid out the scope of the attack and the court-approved disruption effort. APT28, also known as Fancy Bear and Forest Blizzard, has long been associated with the Russian GRU, and the latest campaign shows how older hardware can still become a tool in an active intelligence operation.
The United Kingdom’s National Cyber Security Centre listed 23 TP-Link models that were targeted, while noting the list was likely not exhaustive. TP-Link Systems said the affected models had already reached End of Service and Life status several years ago. That leaves many owners with a practical choice now: replace unsupported equipment or treat the router as a likely weak point until it is updated and secured.
The FBI’s action may have cut off part of the network, but the warning is broader than one takedown. Routers are still one of the easiest places for attackers to hide, and the devices most at risk are often the ones people stop thinking about once they are plugged in. For anyone using an older SOHO router, the next move is immediate: update it, lock down the login and check whether it should be retired altogether.
