If you own a TP-Link home router and have not updated it recently, U.S. intelligence agencies want you to stop what you are doing and reboot it. In a coordinated warning issued in April 2026, the NSA, FBI, and Department of Justice revealed that Russian military hackers compromised thousands of TP-Link routers worldwide, silently rerouting internet traffic through fake login pages designed to steal passwords for services like Microsoft Outlook.
The campaign has been attributed to GRU Unit 26165, the Russian military intelligence division tracked by cybersecurity researchers as APT28. A court-authorized FBI operation has dismantled part of the network inside the United States, but the agencies warn that any router still running outdated firmware remains a live target.
How the attack works
The hackers exploited CVE-2023-50224, a remote code execution flaw in the TP-Link WR841N, one of the best-selling budget routers in the world. The vulnerability, cataloged in both CISA’s Known Exploited Vulnerabilities list and the NIST National Vulnerability Database, allowed attackers to gain control of the device without any action from the user. No phishing email, no malicious download. The router itself was the entry point.
Once inside, APT28 overwrote the router’s DHCP and DNS settings. That meant every device connected to the network, laptops, phones, tablets, was quietly forced to resolve website addresses through servers controlled by GRU. When a user tried to log into Outlook or another targeted service, the router directed them to a convincing fake version of the page. Credentials entered on those pages went straight to Russian intelligence.
The UK’s National Cyber Security Centre, in its own technical advisory, identified two distinct infrastructure clusters supporting the operation and noted that APT28 used the broad access to filter traffic and zero in on targets of intelligence value. The technique is particularly dangerous because it is invisible to the end user. The browser shows a normal-looking URL. The login page looks legitimate. Nothing triggers a typical antivirus alert.
What the government has done so far
The Justice Department confirmed it carried out a court-authorized disruption of the DNS hijacking network, targeting the U.S. portion of the botnet. A federal judge reviewed the evidence before approving the operation, which DOJ said affected thousands of TP-Link routers serving fraudulent DNS responses.
The FBI’s Internet Crime Complaint Center published a public service announcement detailing the threat and urging router owners to take immediate defensive steps. The NSA backed that alert in a separate press release, framing APT28’s router campaign as part of a broader Russian pattern of targeting cheap, poorly maintained edge devices that sit between home networks and the open internet.
The convergence of four agencies across two countries, the FBI, NSA, DOJ, and the UK’s NCSC, all naming the same threat actor and the same hardware makes this one of the most heavily corroborated state-actor attributions in recent years. These are formal government statements, not anonymous tips, and they would carry significant diplomatic consequences if retracted.
What we still do not know
The public record has real gaps. The DOJ described “thousands” of affected routers but did not break down how many were in the United States versus other countries. No agency has published a tool for consumers to check whether their specific device was compromised, and no individual victim-impact data has been released.
The timeline is also unclear. Neither the FBI nor the NCSC has publicly dated the earliest known intrusions, which makes it difficult for anyone who used an affected router to know how far back their exposure might reach. If your router was compromised for months before the takedown, credentials entered during that window could already be in hostile hands.
There is also the question of what happens next. The court-authorized disruption targeted infrastructure inside the United States, but the NCSC’s description of two separate clusters suggests parts of the network may sit beyond U.S. legal reach. The NSA’s warning is written in present tense, calling for “immediate defensive action,” a signal that the agencies believe the threat is not fully neutralized. Whether APT28 has already pivoted to other router models or rebuilt its infrastructure remains unanswered in any public disclosure.
How to protect yourself right now
Check your router model. If you own a TP-Link WR841N, or any SOHO router you have not updated in the past year, treat this as urgent. Visit the manufacturer’s support page and verify you are running the latest available firmware. If your device is no longer receiving security patches, replace it. A router that cannot be updated is a router that cannot be defended.
Reboot and reconfigure. After updating firmware, reboot the router to clear any potentially altered settings. Change the default administrative password to a strong, unique passphrase. Disable remote management unless you have a specific reason to keep it on. These steps take minutes and close the most common entry points.
Assume your credentials may be exposed. If you used a potentially compromised router to log into email, cloud storage, banking, or work accounts, change those passwords now. Enable multi-factor authentication on every service that supports it. There is no consumer tool to confirm whether your router was part of the GRU network, so treating this as a prompt for a full credential reset is the safest approach.
If you manage remote workers, act on this. For organizations with employees working from home, this incident is a reminder that the home router is part of your attack surface. Providing managed networking hardware, clear configuration guidance, or subsidized upgrades can close the gap between corporate security standards and the $25 router an employee bought five years ago. Network administrators should also monitor for unusual DNS behavior and consider enforcing secure DNS settings through device management policies.
Why cheap routers keep showing up in state-backed hacks
This is not the first time a nation-state has turned commodity networking gear into an espionage tool, and it will not be the last. Devices like the TP-Link WR841N are attractive to attackers precisely because they are everywhere, rarely updated, and almost never monitored. They sit at the boundary of the network, handling every packet of traffic that flows between a household and the internet, yet most owners never log into the admin panel after the initial setup.
The pattern is consistent across recent campaigns: rather than targeting hardened corporate firewalls, state-backed groups go after the weakest, most commoditized link in the chain. A compromised home router gives an attacker a quiet vantage point to intercept credentials, inspect traffic, and stage follow-on operations against more sensitive systems. For GRU, thousands of these footholds across multiple countries represent a low-cost, high-reward intelligence collection platform.
The agencies’ joint warning makes the calculus simple. If your router is old, unpatched, and running default settings, it is not just a piece of neglected hardware. It is an open door. Closing it takes less than 15 minutes. Leaving it open means trusting that no one on the other side is watching.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
