If you haven’t thought about your home router since the day you set it up, the FBI would like a word. Government agencies, including the FBI and NSA, revealed on April 7 that a unit of Russia’s military intelligence service, the GRU group known as APT28 or Fancy Bear, has been compromising home routers and small offices since at least 2024, using access to intercept credentials, authentication tokens and sensitive communications. The agency has taken the unusual step of remotely resetting thousands of affected US devices under a court order, but officials warn that without action by individual router owners, the problem is far from resolved.
The attack targeted small office/home routers, also known as SOHO routers, and was carried out by a unit of Russia’s military intelligence agency, the GRU. Government agencies are urging people to follow basic router hygiene measures, such as updating the latest firmware and changing default login information. The UK’s National Cyber Security Center lists a number of TP-Link routers that are targeted by hackers.
While that news sounds very alarming, it’s important to remember that attacks have compromised business routers, and therefore your home. Wi-Fi router almost no one is at risk. That said, some of the affected routers can be used as regular home routers, so it’s worth checking if your model was exploited in the attack.
“There is a big trend of exploiting routers these days, and that applies both to consumers and companies or corporate routers,” Daniel Dos Santos, vice president of research at the cybersecurity company Forescout, told CNET.
What kind of attack is this?
A news release from the NSA notes that the attack indiscriminately targeted dozens of routers, with the goal of gathering information about “military, government, and critical infrastructure.”
The attacks have been linked to terrorist actors within Russia’s GRU — which go by APT28, Fancy Bear, Forest Blizzard and other names — and have been ongoing since at least 2024, according to the FBI.
It is known as Domain Name System hijacking, where DNS requests are detected by changing default network settings on SOHO routers, allowing actors to see user traffic unencrypted.
“For state actors such as Forest Blizzard, DNS hijacking allows persistence, poor visibility and re-identification,” says Microsoft’s Threat Intelligence report on the attack.
Microsoft identified more than 200 organizations and 5,000 consumer devices affected by the GRU attack.
Which routers are affected?
The FBI announcement refers to one router specifically, the TP-Link TL-WR841N, a Wi-Fi 4 model that was originally released in 2007. The UK’s National Cyber Security Agency lists 23 TP-Link models that have been targeted, but notes that it is likely not complete.
Here is the list of affected devices:
- TP-Link LTE Wireless N Router MR6400
- TP-Link Wireless Dual Band Gigabit Router Archer C5
- TP-Link Wireless Dual Band Gigabit Router Archer C7
- TP-Link Wireless Dual Band Gigabit Router WDR3600
- TP-Link Wireless Dual Band Gigabit Router WDR4300
- TP-Link Wireless Dual Band Router WDR3500
- TP-Link Wireless Lite N Router WR740N
- TP-Link Wireless Lite N Router WR740N/WR741ND
- TP-Link Wireless Lite N Router WR749N
- TP-Link Wireless N 3G/4G Router MR3420
- TP-Link Wireless N Access Point WA801ND
- TP-Link Wireless N Access Point WA901ND
- TP-Link Wireless N Gigabit Router WR1043ND
- TP-Link Wireless N Gigabit Router WR1045ND
- TP-Link Wireless N Router WR840N
- TP-Link Wireless N Router WR841HP
- TP-Link Wireless N Router WR841N
- TP-Link Wireless N Router WR841N/WR841ND
- TP-Link Wireless N Router WR842N
- TP-Link Wireless N Router WR842ND
- TP-Link Wireless N Router WR845N
- TP-Link Wireless N Router WR941ND
- TP-Link Wireless N Router WR945N
A TP-Link Systems spokesperson told CNET in a statement that the affected models have all reached End of Service and Life status in the past few years.
“Although these products are outside of our normal maintenance cycle, TP-Link has developed security updates for selected models where technically possible,” the spokesperson said.
TP-Link urges people with these outdated routers to upgrade to a new device if possible. You can find a list of available security patches on its security advisory page that addresses the latest attacks.
How to keep your router safe
The NSA has provided organizations with a list of the best ways to protect your home network. The most important thing you can do if you are using one of the affected devices is to update your router as soon as possible. It may not have received firmware updates in years, such as leaving your network door open.
“The more you keep doing that, the greater the risk,” said Rik Ferguson, vice president of security intelligence at Forescout. “A router sits in a privileged position in any network. All your connections, all your traffic, have to go through that device.”
In addition to using a new device that still receives security updates, there are a few other steps you can take to lock down your network:
- Update your firmware regularly: Many communication devices allow you to enable automatic firmware updates in the settings. If this is an option, I would highly recommend doing it. If not, you can get updates for your router by logging into its web interface or using its app.
- Restart your router: NSA guidance recommends rebooting your router, smartphone and computers at least once a week. “Frequent restarts help remove bugs and ensure safety,” the agency said.
- Change the default usernames and passwords: One of the most common ways hackers gain access is by trying default login credentials, set by the manufacturer. “There’s a global underground economy underneath all of that,” Ferguson said. “Basically, they just harvest information, either through their own attacks, or by collecting it from other sources and buying it.” This username and password combination is unique to your Wi-Fi login, which should also be changed every six months or so. The longer and more random your password is, the better.
- Disable remote administration: Most regular users don’t need to remotely manage their Wi-Fi router, and this is one of the main ways that malicious actors can change your router’s settings without your knowledge. You can usually find this option in your router administrator settings.
- Use a VPN: The FBI’s announcement about the attack specifically recommends that organizations with remote employees use a VPN when accessing sensitive data. These services encrypt your traffic as it passes through a remote server, keeping it safe from hackers.
