The FBI and Department of Justice announced in April they successfully disrupted a Russian military intelligence hacking operation that compromised home and small office routers across the United States. The campaign, attributed to APT28 (also tracked as Fancy Bear and Forest Blizzard), is linked to Russia's GRU military intelligence agency. The attackers exploited vulnerabilities in older routers to modify DNS settings, redirecting internet traffic through servers under their control to steal credentials, authentication tokens, and monitor network activity.
The operation specifically targeted small office and home office (SOHO) routers, particularly older TP-Link models including the WR841N and other legacy devices identified by the UK National Cyber Security Centre. By compromising DNS settings, the attackers effectively controlled the address book that translates website names into network addresses. This allowed them to intercept sensitive data without obvious signs of compromise, as devices continued to function normally while traffic was quietly routed through malicious infrastructure. TP-Link acknowledged the reports and stated that the affected models reached end-of-service status years ago, though the company has developed security updates for select legacy models where technically feasible.
The technical approach exploited two common weaknesses in consumer router deployments. First, many users never change default administrative credentials, which are separate from Wi-Fi passwords and control the router itself. Second, manufacturers eventually stop providing security updates for older models, leaving known vulnerabilities unpatched. These factors combined to create an attractive target for sophisticated threat actors seeking persistent access to networks handling sensitive information, particularly those used by remote workers accessing corporate systems.
The impact extends beyond individual users to small businesses and remote workers whose compromised routers could provide access to workplace networks and sensitive corporate data. Every device connected to an affected router, including laptops, smartphones, tablets, and smart TVs, potentially had its traffic monitored or redirected. The attack demonstrates how neglected network infrastructure can undermine otherwise strong security practices, as users with robust passwords and security software remained vulnerable if their router was compromised.
Security agencies recommend immediate action for users with affected devices. Check router model numbers against advisory lists and verify whether the manufacturer still provides security support. Update firmware to the latest version and enable automatic updates if available. Change default administrative credentials to strong, unique passwords and disable remote management features unless specifically needed. For routers that no longer receive security updates, replacement is the only effective mitigation. Additional protective measures include using VPNs for work connections, deploying antivirus software on connected devices, and restarting routers periodically to clear potential malicious configurations.
Source: https://www.foxnews.com/tech/fbi-says-russian-hackers-hijacked-old-wi-fi-routers