FBI five-step – A joint federal advisory issued April 7 describes a court-authorized operation that disrupted an attack in which Russia’s GRU unit APT28 exploited neglected home and small-office routers across 23 US states—intercepting traffic, stealing credentials, and build
On the day the warning landed, it wasn’t delivered as a dramatic movie scene—it was a quiet instruction aimed at something most people treat like furniture: the home Wi-Fi router.
A joint federal advisory issued April 7 laid out the scale of an operation tied to Russia’s military intelligence agency. the GRU. and a group known as APT28. The attack exploited the long neglect of small-office/home-office routers—also called SOHO routers—by working its way into thousands of devices across 23 US states. From there. the attackers could intercept traffic. steal credentials. and build what the advisory describes as a shadow network of compromised devices.
The advisory also came with the part that mattered most for ordinary households and small businesses: a clear five-step fix router owners should take immediately.
The targeting matters, too. The advisory says the operation focused on SOHO routers. Government agencies are urging people to follow basic router hygiene steps. including updating to the latest firmware and changing default login credentials. In the UK, the National Cyber Security Centre includes specific TP-Link routers among those targeted by the hackers.
Still, the alarm comes with an important qualification—one that determines how many people feel personally at risk. The same reporting that describes the GRU operation also notes that the attack compromised enterprise routers specifically. That’s why your typical home router may not be at risk. But the advisory also points out that some affected routers can be used as standard home routers. making it worth checking whether your model was part of the exploited set.
At the center of this story is a DNS hijacking operation. The FBI says the attackers changed default network configurations on SOHO routers so they could intercept DNS requests. That access allowed the actors to see a user’s traffic even when it was unencrypted. The FBI says the threat has been ongoing since at least 2024.
A Microsoft Threat Intelligence report describes what that capability enables for groups like Forest Blizzard: persistent, passive visibility and reconnaissance at scale. In numbers Microsoft identified more than 200 organizations and 5,000 consumer devices as impacted by the GRU’s attack.
The FBI’s announcement points to one specific router model: the TP-Link TL-WR841N, a Wi-Fi 4 router released in 2007. The UK’s National Cyber Security Centre lists 23 TP-Link models as targeted, while noting the list is likely not exhaustive.
Here are the affected devices named in the advisory and related listings:
TP-Link LTE Wireless N Router MR6400 TP-Link Wireless Dual Band Gigabit Router Archer C5 TP-Link Wireless Dual Band Gigabit Router Archer C7 TP-Link Wireless Dual Band Gigabit Router WDR3600 TP-Link Wireless Dual Band Gigabit Router WDR4300 TP-Link Wireless Dual Band Router WDR3500 TP-Link Wireless Lite N Router WR740N TP-Link Wireless Lite N Router WR740N/WR741ND TP-Link Wireless Lite N Router WR749N TP-Link Wireless N 3G/4G Router MR3420 TP-Link Wireless N Access Point WA801ND TP-Link Wireless N
Access Point WA901ND TP-Link Wireless N Gigabit Router WR1043ND TP-Link Wireless N Gigabit Router WR1045ND TP-Link Wireless N Router WR840N TP-Link Wireless N Router WR841HP TP-Link Wireless N Router WR841N TP-Link Wireless N Router WR841N/WR841ND TP-Link Wireless N Router WR842N TP-Link Wireless N Router WR842ND TP-Link Wireless N Router WR845N TP-Link Wireless N Router WR941ND TP-Link Wireless N Router WR945N.
A TP-Link Systems spokesperson told CNET that the affected models all reached End of Service and Life status several years ago. The spokesperson also said TP-Link has developed security updates for select legacy models where technically feasible. and urged people with these outdated routers to upgrade to a newer device if possible. The spokesperson added that available security patches addressing the recent attack can be found on TP-Link’s security advisory page.
If there’s a pattern to the fear behind this case. it’s how little attention routers often receive—until something uses that neglect. Daniel Dos Santos. vice president of research at the cybersecurity company Forescout. said there is a “big trend” of exploiting routers. for both consumer and enterprise or corporate devices.
That urgency isn’t about speculation. The NSA’s news release describes how the attack indiscriminately targeted a wide pool of routers to gather information on “military. government. and critical infrastructure.” And the technology itself—DNS hijacking—depends on routers being left in place. with old settings and old firmware.
Forescout’s Rik Ferguson put it plainly: the longer people keep using an exploited device, the greater the risk. He said the router sits in such a privileged position within any network that all communication and traffic has to pass through it.
The advisory and accompanying guidance point to a set of practical steps that begin with one action that’s hard to ignore: upgrade. The government’s most important instruction for owners of impacted devices is to upgrade the router as soon as possible—because it likely hasn’t received firmware updates in years. “The longer you carry on doing that, the greater the risk,” Ferguson said.
Beyond upgrading, the guidance lays out additional steps:
Update your firmware regularly. Many networking devices allow automatic firmware updates; if that option exists, the guidance recommends enabling it. If not, updates can be found by logging into the router’s web interface or using its app.
Reboot your router. The NSA’s guidance recommends rebooting your router, smartphone and computers at least once a week. The agency says regular reboots help remove implants and ensure security.
Change default usernames and passwords. Government guidance emphasizes that one common way hackers gain access is by trying manufacturer-set default login credentials. Ferguson described it as an underground economy built around harvested credentials—either obtained through attacks or stockpiled and bought.
Use a VPN for organizations with remote workers accessing sensitive data. The FBI’s announcement specifically recommends VPN use, since the services encrypt traffic as it passes through a remote server, helping keep it safe.
Disable remote management. The guidance says most regular users don’t need remote management and that it’s one of the primary ways threat actors can change a router’s settings without a user’s knowledge. It’s typically found in router admin settings.
All of it—DNS manipulation. credential theft. persistent visibility—boils down to a simple reality: the device at the edge of a network is often the last thing people think about. In this case. the FBI and partners say Russia’s GRU-linked APT28 took advantage of that habit across 23 US states. and the disruption carried out through a court-authorized operation now leaves behind the same task for households and small offices everywhere.
Check the model. If it matches one of the affected TP-Link devices named in the advisory, the instruction is immediate: upgrade.
And if it doesn’t, the message still stands—because the guidance isn’t just about one attack. It’s about the basic steps that keep a home network from becoming an open door.
APT28 GRU DNS hijacking router security TP-Link TL-WR841N home routers SOHO routers FBI advisory April 7 remote management VPN