Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
If you haven’t thought about your home router since the day you set it up, the FBI would like to have a word. Federal agencies, including the FBI and the National Security Agency, revealed on April 7 that a unit of Russia’s Military Intelligence Directorate, the GRU group known as APT28 or Fancy Bear, has been systematically hacking home and small office routers since at least 2024, using access to intercept credentials, authentication codes, and sensitive communications. The agency has taken the unusual step of remotely resetting thousands of affected US devices under a court order, but officials warn that without action by individual router owners, the problem is far from solved.
The attack targeted small office/home office routers, also known as SOHO routers, and was carried out by a unit of Russia’s military intelligence agency, the GRU. Government agencies are urging people to follow basic router hygiene steps, such as updating to the latest firmware and changing the default login credentials. Includes the UK’s National Cyber Security Centre A number of TP-Link routers specifically Targeted by hackers.
Although this news seems quite alarming, it’s worth keeping in mind that the attack specifically affected enterprise routers, and thus your home. Wi-Fi router Probably not in danger. However, some affected routers can be used as standard home routers, so it’s worth checking if your model was exploited in the attack.
“There’s a big trend for router exploits these days, and this applies to both consumer and enterprise or enterprise routers,” Daniel Dos Santos, vice president of research at cybersecurity firm Forescout, told CNET.
What type of attack is this?
Press release from National Security Agency It notes that the attack randomly targeted a wide range of routers, with the aim of gathering information about “military, government and critical infrastructure.”
This attack is linked to threat actors within the Russian GRU — which include APT28, Fancy Bear, Forest Blizzard, and other names — and has been ongoing since at least 2024, according to the FBI.
This process is known as Domain Name System hijacking, in which DNS requests are intercepted by changing the default network configurations on SOHO routers, allowing actors to see user traffic unencrypted.
“For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale,” says one analyst. Microsoft Threat Intelligence Report On the attack.
Microsoft identified more than 200 enterprise and 5,000 consumer devices affected by the GRU attack.
Which routers are affected?
The FBI announcement mentions one router in particular: TP-Link TL-WR841NWi-Fi 4 model was Originally released in 2007. The UK’s National Cyber Security Center lists 23 TP-Link models that have been targeted, but notes that this is likely not comprehensive.
Below is the list of affected devices:
- TP-Link LTE Wireless N Router MR6400
- TP-Link Archer C5 Wireless Dual Band Gigabit Router
- TP-Link Archer C7 Wireless Dual Band Gigabit Router
- TP-Link WDR3600 Wireless Dual Band Gigabit Router
- TP-Link WDR4300 Wireless Dual Band Gigabit Router
- TP-Link WDR3500 Wireless Dual Band Router
- TP-Link Lite Wireless Router WR740N
- TP-Link Lite Wireless Router WR740N/WR741ND
- TP-Link Wireless Lite Router WR749N
- TP-Link Wireless N 3G/4G Router MR3420
- TP-Link Wireless N Access Point WA801ND
- TP-Link Wireless N Access Point WA901ND
- TP-Link Wireless N Gigabit Router WR1043ND
- TP-Link Wireless N Gigabit Router WR1045ND
- TP-Link Wireless N Router WR840N
- TP-Link Wireless N Router WR841HP
- TP-Link Wireless N WR841N Router
- TP-Link Wireless N Router WR841N/WR841ND
- TP-Link Wireless N WR842N Router
- TP-Link Wireless N Router WR842ND
- TP-Link Wireless N WR845N Router
- TP-Link Wireless N Router WR941ND
- TP-Link Wireless N WR945N Router
A TP-Link Systems spokesperson told CNET in a statement that all affected models reached end-of-service and end-of-life status several years ago.
“Although these products are outside our standard maintenance lifecycle, TP‑Link has developed security updates for specific legacy models where technically feasible,” the spokesperson said.
TP-Link urges people with these older routers to upgrade to a newer device if possible. You can find a list of available security patches on his site Security consulting page Countering the last attack.
How to keep your router secure
The NSA referred the organizations to a list Best practices for securing your home network. The most important thing you can do if you are using one of the affected devices is to upgrade your router as soon as possible. It may not have received firmware updates in years, which is like leaving the door to your network open.
“The longer we continue to do this, the greater the risks,” said Rick Ferguson, vice president of security intelligence at FourScout. “A router occupies a privileged position within any network. All of your connections and traffic should pass through this device.”
In addition to using a newer device that still receives security updates, there are some other steps you can take to secure your network:
- Update your firmware regularly: Many network devices allow you to enable Automatic firmware updates In settings. If this is an option, I highly recommend it. If not, you can find updates for your router by logging into its web interface or using its app.
- Restart your router: NSA guidelines recommend rebooting your router, smartphone, and computers at least once a week. “Regular reoperations help remove implants and ensure safety,” the agency says.
- Change default usernames and passwordsOne of the most common ways hackers gain access is by trying the default login credentials specified by the manufacturer. “There’s a whole underground economy underlying all of this,” Ferguson says. “Basically, they just collect credentials, either through attacks of their own, or by storing them from other sources and purchasing them.” This username and password combination is different from your Wi-Fi login information, which also needs to be changed every six months or so. The longer and more random your password is, the better.
- Disable remote administration: Most regular users don’t need to manage their Wi-Fi router remotely, and this is one of the primary ways threat actors can change your router settings without your knowledge. You can usually find this option in your device Router admin settings.
- Use a VPN: The FBI’s attack announcement specifically recommends that organizations operate remotely Use a VPN When accessing sensitive data. These services encrypt your traffic as it passes through a remote server, keeping it safe from hackers.