If you own a TP-Link router and haven’t updated its firmware recently, Russian military intelligence may already be watching your internet traffic. That is the stark warning from a coordinated disclosure by the FBI, NSA, and Department of Justice in April 2026, which revealed that hackers from the GRU’s Unit 26165, widely tracked as APT28 or Fancy Bear, have compromised thousands of TP-Link routers worldwide to steal passwords, session tokens, and other sensitive data from unsuspecting users.
The campaign turns one of the most popular consumer routers on the market into a silent surveillance tool. And federal authorities say they have already taken court-authorized action to dismantle part of the network on U.S. soil.
How the attack works
The hackers are exploiting CVE-2023-50224, a vulnerability in the TP-Link WR841N router that allows an attacker to extract administrative credentials by sending a specially crafted HTTP request. (Note: CVE-2023-50224 is the identifier cited in the government advisories referenced here; however, independent confirmation that this specific CVE ID maps to the WR841N authentication bypass described has not been fully verified against the National Vulnerability Database.) Once they have those credentials, the attackers log in and rewrite the router’s DNS settings, according to a technical advisory from the UK’s National Cyber Security Centre.
DNS is essentially the phone book of the internet. Every time you type a web address, your router asks a DNS server where to find it. By redirecting those queries to servers they control, the GRU hackers can intercept login pages, capture passwords in real time, inject false responses, or quietly log browsing activity across every device on the network: laptops, phones, smart TVs, security cameras, all of it. The user sees nothing unusual.
The FBI’s Internet Crime Complaint Center attributed the campaign to the GRU’s 85th Main Special Service Center, also known as Forest Blizzard, and confirmed that thousands of routers were affected across multiple countries. In a public service announcement (note: this URL is consistent with IC3’s format but has not been independently verified beyond the agencies’ own disclosures), the bureau explicitly named TP-Link devices and CVE-2023-50224 as the entry point. The NSA issued a parallel statement reinforcing the attribution and urging immediate firmware updates.
Federal authorities strike back
The government response went beyond advisories. The Justice Department announced “Operation Masquerade,” a court-authorized effort to neutralize the U.S. portion of the DNS hijacking network. Acting under judicial authorization obtained through the U.S. Attorney’s Office for the Eastern District of Pennsylvania, the FBI disrupted GRU-controlled DNS resolvers that had been redirecting traffic from compromised routers since at least 2024. (Note: the DOJ press release URL and the “Operation Masquerade” name are presented as stated in the original government disclosures; the URL structure is consistent with real DOJ press releases but has not been independently verified beyond those disclosures.)
The fact that a federal judge reviewed the evidence and authorized the takedown is significant. It means prosecutors demonstrated probable cause that the infrastructure was being used for foreign intelligence operations, a legal threshold that adds weight to the public attribution.
The operation targeted infrastructure inside U.S. borders. Whether allied governments conducted parallel disruptions abroad, or whether GRU-controlled resolvers in other countries remain active, has not been publicly addressed.
What we still don’t know
Despite the unusual level of coordination between U.S. and UK agencies, several important questions remain unanswered.
Scale: The Justice Department described “thousands” of compromised devices, but no agency has released a precise global count or a breakdown by country or sector. Whether the number is closer to two thousand or twenty thousand is unclear.
Vendor response: TP-Link has not issued a public statement in response to the joint government advisories, at least not one referenced by any of the announcing agencies. The full list of affected hardware revisions, the timeline for patch availability, and whether newer firmware fully closes the vulnerability all lack official vendor confirmation. That silence is notable given that TP-Link routers are among the best-selling consumer networking devices in the United States, and the company has faced separate scrutiny from U.S. lawmakers and the Commerce Department over its corporate ties to China.
Actual damage: The technical capability to intercept passwords and authentication tokens is confirmed, but no specific victim impact reports have been released. Whether individual users had accounts compromised or organizations suffered data breaches as a direct result of this campaign remains publicly unknown.
Timeline: References to activity “since at least 2024” suggest the campaign may have been running for well over a year before the coordinated disclosures in April 2026. The precise start date of APT28’s exploitation of CVE-2023-50224 is not pinned down in any public document.
Why this campaign stands out
APT28 is no stranger to espionage operations. The group has been linked to numerous intelligence campaigns over the past decade. What makes this operation different is the target: consumer-grade routers sitting in living rooms and small offices.
Rather than going after corporate VPNs or government networks directly, the GRU targeted the gateway devices that mediate traffic for entire households. A single compromised router gives the attackers visibility into every online service used by every person on that network. It is a remarkably efficient approach, and it exploits a class of device that most people plug in once and never think about again.
The strength of the public attribution also deserves attention. The FBI, NSA, DOJ, and UK NCSC each published independent advisories within the same window, and their technical details are consistent: the same router model, the same CVE, the same DNS hijacking technique. That alignment across agencies and countries signals high confidence and reduces the likelihood of misattribution.
What you should do right now
Government agencies are converging on a short list of concrete steps for anyone who owns a TP-Link WR841N or a similar older TP-Link router:
Check your DNS settings. Log into your router’s administration page (typically by navigating to 192.168.0.1 or 192.168.1.1 in a browser) and look at the DNS server addresses. If they point to IP addresses you don’t recognize, and especially if you never changed them from the defaults, your router may have been tampered with.
Update your firmware. Visit TP-Link’s support site, find your exact model and hardware version, and install the latest available firmware. This is the single most important step to close the vulnerability.
Change your passwords. Replace any default or reused router admin credentials with a strong, unique password. If your router’s DNS was compromised, also change passwords for email, banking, and other sensitive accounts you accessed over that network, since those credentials may have been captured.
Disable remote administration. Unless you have a specific need to manage your router from outside your home network, turn off remote management. This closes the most common path attackers use to reach the vulnerable interface.
Factory reset if in doubt. The NSA advises that if a router’s DNS entries point to unfamiliar addresses, the device should be factory-reset and reconfigured with updated firmware before reconnecting to the internet.
Small-business network administrators can take additional steps: segmenting critical devices onto separate VLANs, monitoring for unexpected DNS resolver changes, and watching for unusual login prompts or browser certificate warnings that could indicate traffic interception.
The broader takeaway from Operation Masquerade is uncomfortable but important. State-sponsored hackers are no longer focused solely on government agencies and Fortune 500 companies. The router on your desk or tucked behind your TV is now a frontline target. Law enforcement showed it is willing to take direct action against foreign infrastructure threatening domestic networks, but the first and most important line of defense remains the device you probably haven’t thought about since the day you set it up.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
