The FBI and NSA have identified a Russian military intelligence unit, APT28, using compromised home and small-office routers to intercept sensitive communications and credentials since early 2024.

Key Points

• Russian intelligence group APT28, also known as Fancy Bear, has been conducting Domain Name System hijacking to intercept unencrypted user traffic.
• The operation has impacted over 200 organizations and 5,000 consumer devices, primarily targeting legacy TP-Link router models.
• Federal agencies successfully performed remote resets on thousands of affected U.S. devices under court order to disrupt the ongoing espionage campaign.
• Security experts urge users to update router firmware, change default login credentials, and disable remote management features to prevent unauthorized access.
• TP-Link confirmed that many targeted devices have reached their end-of-service life and recommends upgrading to newer hardware to ensure continued security.

Why it Matters

Routers serve as the primary gateway for all network traffic, making them high-value targets for nation-state actors seeking to conduct large-scale surveillance and data theft. Failing to secure these devices leaves sensitive personal and professional communications vulnerable to interception by sophisticated foreign intelligence operations.