Skip to content
Tech News
← Back to articles

Russia's Military Hackers Targeted Home Routers Across 23 States. Here's What to Do

2026-06-01 | original
read original get Wi-Fi Router Security Kit → more articles
Why This Matters

This incident highlights the ongoing threat of state-sponsored cyber espionage targeting routers, which can compromise both personal and critical infrastructure data. It underscores the importance for consumers and organizations alike to maintain strong cybersecurity practices to prevent exploitation. Staying vigilant and updating device firmware are crucial steps in safeguarding digital assets against sophisticated nation-state attacks.

Key Takeaways

For years, a unit of Russia's military intelligence agency quietly turned ordinary home routers into tools of espionage. The GRU group known as APT28, the same outfit behind the 2016 DNC hack and a string of attacks on NATO targets, exploited unpatched firmware and unchanged default passwords to compromise thousands of devices across 23 US states, redirecting internet traffic through servers under Russian control and harvesting credentials along the way. Federal agents disrupted the operation in April under a court order. What they couldn't do from a distance was fix the underlying vulnerabilities. That requires five steps from you.

The attack targeted small-office/home-office routers, also known as SOHO routers, and was carried out by a unit in the Russian military intelligence agency, the GRU. Government agencies are urging people to follow basic router hygiene steps, such as updating to the latest firmware and changing default login credentials. The UK's National Cyber Security Centre includes a number of TP-Link routers specifically targeted by the hackers.

While that news sounds pretty alarming, it's worth keeping in mind that the attack compromised enterprise routers specifically, so your home Wi-Fi router likely isn't at risk. That said, some of the affected routers can be used as standard home routers, so it's worth checking whether your model was exploited in the attack.

Locating local internet providers

"There is a big trend of exploiting routers these days, and that goes both for the consumer and enterprise or corporate routers," Daniel Dos Santos, vice president of research at the cybersecurity company Forescout, told CNET.

What type of attack is this?

A news release from the NSA notes that the attack indiscriminately targeted a wide pool of routers, with the goal of gathering information on "military, government, and critical infrastructure."

Locating local internet providers

This attack is linked to threat actors within the Russian GRU -- which go by APT28, Fancy Bear, Forest Blizzard and other names -- and has been ongoing since at least 2024, according to the FBI.

It's known as a Domain Name System hijacking operation, in which DNS requests are intercepted by changing the default network configurations on SOHO routers, allowing the actors to see a user's traffic unencrypted.

... continue reading

Explore topics: gru apt28 tp-link home routers russian military
Related:
TP-Link Says Screw It, We’re Doing Wi-Fi 8 Now
TP-Link's first Wi-Fi 8 router is coming, if the FCC allows it
Europe Told To Cool Its Datacenter Boom Before Water, Power Run Short
TP-Link announces its first consumer Wi-Fi 8 roadmap — Archer 8 routers scheduled to arrive in October 2026, pending FCC approval
TP-Link announces a Wi-Fi 8 router even though the standard doesn't exist yet

© 2026 GoKawiil

About | Editorial Policy | Contact