GoKawiilRussian hackers have been exploiting vulnerable routers around the world, according to a joint announcement from several federal agencies on April 7, including the Federal Bureau of Investigation and the National Security Agency as well as their counterparts across the globe.
The attack targeted small-office/home-office routers, also known as SOHO routers, and was carried out by a unit in the Russian military intelligence agency, the GRU.
Government agencies are urging people to follow basic router hygiene steps, such as updating to the latest firmware and changing default login credentials. The UK's National Cyber Security Centre includes a number of TP-Link routers specifically targeted by the hackers.
Locating local internet providers
While that news sounds pretty alarming, it’s worth keeping in mind that the attack compromised enterprise routers specifically, so your home Wi-Fi router likely isn’t at risk. That said, some of the affected routers can be used as standard home routers, so it’s worth checking whether your model was exploited in the attack.
“There is a big trend of exploiting routers these days, and that goes both for the consumer and enterprise or corporate routers,” Daniel Dos Santos, vice president of research at the cybersecurity company Forescout, told CNET.
Locating local internet providers
What type of attack is this?
A news release from the NSA notes that the attack indiscriminately targeted a wide pool of routers, with the goal of gathering information on “military, government, and critical infrastructure.”
This attack is linked to threat actors within the Russian GRU -- which go by APT28, Fancy Bear, Forest Blizzard and other names -- and has been ongoing since at least 2024, according to the FBI.
... continue reading