The National Security Agency has joined the FBI and international partners in issuing a public warning about Russian military intelligence cyber actors exploiting vulnerable routers to steal sensitive information from government, military and critical infrastructure targets.
The alert follows a recent law enforcement operation that disrupted a network of compromised small-office and home-office routers used by Russia’s GRU to conduct malicious cyber activities, including domain name system, or DNS, hijacking, NSA said Tuesday.
Government and industry leaders will discuss evolving cyberthreats and strategies to strengthen federal cybersecurity at the Potomac Officers Club's 2026 Cyber Summit on May 21. Register now.
How Are GRU Hackers Exploiting Routers?
According to the joint advisory, GRU-linked actors, known as APT28, Fancy Bear and Forest Blizzard, have been targeting vulnerable edge devices since at least 2024 to gain access to sensitive data.
The campaign involves exploiting router vulnerabilities, including flaws affecting TP-Link devices, to alter DNS settings and redirect internet traffic to fraudulent sites or services, including commonly used platforms such as web-based email systems.
Once compromised, routers enable adversaries to intercept encrypted traffic through adversary-in-the-middle attacks, allowing them to collect credentials, authentication tokens, emails and browsing data that would otherwise be protected.
The activity has affected a broad range of victims globally, with threat actors narrowing their focus to information tied to defense, government operations and critical infrastructure.
The advisory notes that compromised devices can impact multiple connected systems, including laptops and mobile devices, extending the reach of the intrusion beyond the router itself.
What Steps Should Users and Organizations Take?
U.S. and allied agencies are urging individuals and organizations to take immediate steps to secure network devices and reduce exposure.
Recommended actions include changing default usernames and passwords, updating routers with the latest firmware, disabling remote management access from the internet, and replacing end-of-support devices.
Users are also advised to treat browser and email certificate warnings with caution, as these may indicate interception attempts.
For organizations supporting remote work, the guidance emphasizes reviewing access policies, including the use of virtual private networks and hardened configurations to protect sensitive systems.
What Should Victims Do Next?
Agencies recommend reporting suspected compromises to local FBI field offices or submitting complaints through the Internet Crime Complaint Center.
