The U.S. Department of Justice has twice disrupted foreign-intelligence operations that hijacked ordinary home routers, first reversing malicious DNS changes on small-office and home-office devices compromised by a Russian military intelligence unit, then dismantling a worldwide botnet built by People’s Republic of China state-sponsored hackers. Those operations confirmed that the gap between a secure home network and a compromised one often comes down to a handful of settings most owners never touch. Federal agencies including the FTC and FBI now point to six specific configuration changes that close the entry points these campaigns exploited.
Why foreign-intelligence router hijacks put every household at risk
Home routers are not just internet gateways. They are targets. The Justice Department’s court-authorized disruption of a DNS hijacking network used tailored commands to revert malicious settings on compromised SOHO routers that a Russian military intelligence unit had taken over. In a separate action, DOJ obtained judicial approval to interfere with a worldwide botnet used by PRC state-sponsored hackers, which had absorbed hundreds of consumer devices, routers and cameras alike, into a proxy network.
Both campaigns shared a pattern: attackers exploited default credentials, exposed remote-management interfaces, and outdated firmware to gain control of devices their owners assumed were safe. Once in place, the operators could silently redirect traffic, hide behind household IP addresses, and pivot deeper into local networks. The FBI has warned that end-of-life routers and exposed management interfaces are attractive to proxy services and criminal infrastructure, meaning that even devices not singled out by foreign-intelligence units can still be swept into large-scale abuse.
A reasonable hypothesis follows: households that both upgrade wireless encryption and disable remote management should face measurably lower re-infection rates than those that only apply firmware patches. No publicly available longitudinal study has tested that specific combination against subsequent foreign-intelligence campaigns. But the operational record from DOJ, combined with federal consumer advice, strongly suggests that firmware updates alone leave critical attack surfaces open, particularly default admin passwords and externally reachable management portals.
Six router settings backed by federal and international guidance
The Federal Trade Commission’s guidance on securing a home network aligns closely with what investigators saw in those hijacking operations. Each recommended setting maps to a concrete weakness that attackers have already exploited at scale.
- Switch encryption to WPA3-Personal. The Wi-Fi Alliance introduced WPA3 with a Simultaneous Authentication of Equals handshake, known as SAE, which strengthens protections against password guessing. SAE blocks the offline dictionary attacks that can let intruders crack WPA2 passwords captured from the airwaves. If a router does not support WPA3, WPA2-Personal with a long, unique passphrase is the minimum acceptable standard, but upgrading hardware to gain WPA3 support is preferable.
- Replace factory admin credentials and the default network name. Published default usernames and passwords are the single easiest way into a router; automated tools can try them against millions of devices in minutes. Changing the administrator password to a unique, complex phrase eliminates that shortcut. Renaming the SSID so it does not reveal the brand or model removes a signal that tells attackers exactly which hardware they are probing and which known exploits to try first.
- Disable remote management. Remote administration features expose the router’s control panel to the wider internet, often on predictable ports. That convenience became a liability when Russian operators used externally reachable interfaces to alter DNS settings on compromised devices. Federal and international agencies advise turning off remote management entirely unless there is a specific, time-limited need for it, and then restricting access to trusted addresses wherever possible.
- Turn off Universal Plug and Play (UPnP). UPnP allows devices on the local network to open ports and modify routing rules without owner approval. While that can simplify gaming consoles or smart TVs, it also lets malware on a single compromised laptop or camera silently punch holes through the firewall. Disabling UPnP forces any port-forwarding changes to go through the router’s manual configuration screen, where the owner can see and control them.
- Disable Wi-Fi Protected Setup (WPS). WPS was designed to make connecting devices easier through a PIN or push-button pairing, but the PIN method remains susceptible to brute-force attacks that require little sophistication. Once an attacker guesses the WPS PIN, they can join the network even if the main Wi‑Fi passphrase is strong. Turning WPS off removes this weaker backdoor and ensures that all devices must authenticate using WPA3 or WPA2 credentials.
- Install every available firmware update. Firmware patches close known vulnerabilities in the router’s operating system and embedded web server. Devices that no longer receive updates, often labeled end-of-life, accumulate unpatched flaws that attackers can scan for remotely. When a manufacturer stops releasing new firmware, replacing the hardware becomes the only realistic way to restore a secure baseline.
After applying these changes, a full reboot ensures that old processes and cached configurations are cleared. The FTC also encourages households to review the list of connected devices at least monthly, removing unknown entries and checking for unfamiliar hostnames or MAC addresses that may indicate an intruder.
Gaps in the evidence and what to watch next
Despite the clear alignment between known attack paths and recommended settings, there are still notable gaps in public evidence. Law-enforcement operations describe how specific botnets and hijacking campaigns worked, but they rarely publish detailed statistics on how many compromised routers had, for example, UPnP enabled versus disabled, or how many victims had already installed the latest firmware. Without that breakdown, it is hard for independent researchers to quantify exactly how much protection each individual setting provides.
Similarly, most guidance treats home networks as a single category, even though the risk profile for a freelancer working with sensitive client data is different from that of a casual streaming household. More granular studies could examine whether high-risk users benefit from additional controls, such as segregating work devices on a separate guest network or using dedicated hardware firewalls in front of ISP-provided routers. For now, those measures remain best practices inferred from enterprise security, not rigorously tested requirements for home users facing foreign-intelligence threats.
Another open question is how quickly attackers adapt when large numbers of households follow official advice. If more consumers adopt WPA3 and disable remote management, adversaries may shift toward exploiting weaknesses in poorly secured smart-home devices that sit behind otherwise hardened routers. That possibility underscores why federal agencies emphasize inventorying connected devices and keeping their firmware updated as diligently as the router’s own software.
Future reporting from government operations could help close these evidence gaps. Even anonymized statistics on how compromised routers were configured, and which mitigations were missing, would let academics and security professionals refine their models of household risk. Until then, the six settings highlighted by federal and international guidance represent a pragmatic baseline: they directly address the weaknesses already abused in real-world campaigns, they are within reach of non-technical users, and they significantly raise the cost of turning a home router into someone else’s foothold.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
