Morning Overview

Russian hackers hijacked thousands of older home routers to steal banking logins, the FBI says.

Home routers rarely cross most people’s minds once they are plugged in and working, which is exactly why they have quietly become one of the more attractive targets for state-linked hacking operations. A router that has been running untouched in a closet for years, still using its factory-default password and long past its last security update, offers an intruder a foothold that can sit undetected for months while normal internet use continues on top of it.

Federal investigators say that is precisely what happened on a national scale earlier this year, when a Russian military intelligence unit built a network of hijacked home routers stretching across dozens of states.

The Scope of the Router Hijacking Campaign

Investigators, including the FBI, NSA, and Department of Justice, issued a joint warning describing how Russian hackers hijacked outdated home and small-office routers tied to a GRU unit tracked under the names APT28 and Fancy Bear. According to the advisory, the group exploited previously disclosed vulnerabilities in unpatched TP-Link and MikroTik routers, many of them older models no longer receiving manufacturer security updates, to steal login credentials and reach into networks across at least 23 U.S. states.

Once inside a router, the hackers reportedly manipulated its settings to redirect DNS requests, the underlying system that translates web addresses into the numeric locations computers use to find each other online, toward servers under GRU control. That redirection technique allowed the group to intercept and reroute internet traffic passing through the compromised device, including logins for online banking portals and other sensitive services, without the router’s owner noticing anything unusual about their day-to-day browsing.

A Court-Authorized Response

The scale of the intrusion prompted the FBI to seek judicial authorization for an unusually direct countermeasure. According to a Justice Department announcement, the bureau obtained court approval to disrupt the hijacking network directly, developing a series of commands sent to the compromised routers themselves to collect evidence of the intrusion, reset manipulated settings back to their legitimate configuration, and close off the access the hackers had been using to reenter the devices.

That kind of court-authorized, remote intervention on privately owned home equipment is relatively rare and reflects how seriously investigators treated the campaign, which officials described as active since at least 2024. The operation illustrates a recurring challenge in defending against state-linked hacking groups: the individual devices being exploited, consumer routers purchased years earlier and left largely unmaintained, are not something any government agency can patch proactively without direct intervention, since router security updates depend on individual owners actively installing them.

Why Older Routers Are Such an Easy Target

Unlike phones and computers, which increasingly nag users with automatic update prompts, home routers are often installed once by an internet provider technician or a household member and then left alone indefinitely. Manufacturers eventually stop issuing security patches for older models, a point often reached well before the physical hardware fails, which leaves a router technically functional but increasingly vulnerable to publicly known exploits that hackers can use against any device that has not been patched.

Because a compromised router sits between every device on a home network and the broader internet, it occupies a uniquely powerful position for an attacker. Traffic passing through a hijacked router can be redirected, monitored, or manipulated before it ever reaches its intended destination, which is what made the DNS-redirection technique described in the advisory effective at capturing banking credentials without needing to compromise the bank’s own systems at all.

Why This Campaign Drew a Rare Government Intervention

State-linked hacking groups operating out of Russia, China, Iran, and North Korea have targeted consumer and small-business network equipment for years, but most such campaigns are addressed through public advisories urging individual users to patch their own devices rather than through direct, court-authorized action against the compromised hardware itself. The decision to seek judicial authorization for a hands-on disruption in this case reflects both the scale of the router network involved and the specific banking-credential theft angle, which moved the campaign beyond espionage or general network reconnaissance into territory with direct financial consequences for ordinary account holders.

Legal experts who track these operations note that court-authorized remote access to privately owned equipment, even when carried out for defensive purposes, sits in a narrow legal space that investigators use sparingly, generally reserved for campaigns judged to pose an active and ongoing risk that individual notification alone would not adequately address. The Justice Department’s willingness to pursue that route against a router-hijacking campaign, rather than a more conventional server or network intrusion, signals that officials view compromised home routers as a growing avenue for financially motivated and espionage-linked intrusions alike.

What Router Owners Are Being Advised to Do

Investigators are urging consumers to check whether their router model is still receiving manufacturer firmware updates and, if not, to replace it with a currently supported model. For routers still receiving updates, officials recommend installing the latest firmware immediately, changing the default administrator password to something unique, and disabling remote management features that allow the router’s settings to be changed from outside the home network, a feature many owners never realized was switched on by default.

Households are also being encouraged to periodically check their router’s DNS settings against the values provided by their internet service provider, since an unexpected change can be one of the few visible signs that a router has been compromised in the way described in this campaign. Given how invisible a hijacked router can be to an average user, officials are framing basic router maintenance, alongside the more familiar advice about strong passwords and multifactor authentication, as a core part of protecting household banking credentials going forward.

Morning Overview produced this article with AI assistance and reviewed it against the cited sources.


More from Morning Overview