Your router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now
The FBI and NSA have jointly warned Americans that Russian military intelligence operatives are actively breaking into home and business routers to steal data and spy on networks. The threat is serious enough that two of the country's most powerful security agencies issued a rare...
According to ZDNet's coverage of the joint advisory, the Federal Bureau of Investigation and the National Security Agency are sounding the alarm about an active campaign by Russia's GRU, the military intelligence directorate, targeting routers used by ordinary Americans and businesses alike. The agencies issued a formal public service announcement urging users to take immediate protective action, calling out specific security failures that are making this exploitation campaign possible at a potentially massive scale.
Why This Matters
This is not a theoretical threat buried in a government threat report that nobody reads. Two of the most secretive agencies in the United States went public with this warning, which means the exploitation activity had reached a scale serious enough to justify tipping their hand. Router vulnerabilities affect an estimated hundreds of millions of devices in American homes and offices, most of which have never had a firmware update applied since the day they were plugged in. The GRU is not picking locks here, they are walking through doors that were left wide open.
Daily briefing from 50+ sources. Free, 5-minute read.
The Full Story
Russia's GRU, the same military intelligence unit linked to election interference operations and the NotPetya cyberattack that caused an estimated $10 billion in global damages, has shifted part of its attention to something far more mundane: your home router. The FBI and NSA jointly confirmed the campaign in a formal cybersecurity advisory, representing an unusual degree of public disclosure from agencies that typically guard their threat intelligence closely. When both agencies decide to go public simultaneously, the threat is real and widespread.
The strategy behind targeting routers is straightforward and, frankly, smart from an attacker's perspective. Routers sit at the front door of every network, handling all traffic flowing in and out. Compromise a router and you can monitor everything, harvest login credentials, and quietly pivot deeper into the network toward more sensitive systems. Better yet, most users never think to check whether their router has been tampered with, so an attacker can maintain access for months or even years without detection.
The campaign exploits a combination of predictable user behaviors rather than exotic zero-day vulnerabilities. Many routers still run on default manufacturer usernames and passwords, credentials that are publicly listed in manufacturer documentation and trivially easy to try. Others are running firmware versions that have not been updated in years, carrying known security holes that patches have long since addressed. Remote management features, which allow administrators to log into routers over the open internet, provide yet another entry point that many users leave enabled without realizing . The FBI and NSA identified five core defensive actions. Change your default router credentials immediately and use a strong, unique password. Update your router firmware to the latest available version and enable automatic updates if your device supports them. Disable remote management unless you have a specific need for it. Upgrade your Wi-Fi encryption to WPA3 if your router supports it, or WPA2 as a minimum. Finally, check your router logs periodically for signs of unexpected login attempts or unusual configuration changes, because most compromises leave traces that go unnoticed only because nobody ever looks.
The advisory carries weight beyond individual consumers. Organizations managing critical infrastructure are responding by implementing network segmentation strategies and deploying behavioral analytics to catch unusual traffic patterns that could signal a compromised device. Managed IT service providers reported a surge in customer inquiries following the advisory, indicating that the message is reaching at least some of its intended audience.
Key Details
- The warning was issued jointly by the FBI and the NSA, two agencies that rarely coordinate on public consumer advisories.
- The attacking unit is Russia's GRU, the military intelligence directorate previously implicated in the 2016 election interference campaign.
- Security specialists estimate that hundreds of thousands or potentially millions of devices remain vulnerable due to unpatched firmware and unchanged default credentials.
- The NSA press release was published through the NSA's official Press Room and is publicly available for verification.
- The 5 recommended protective steps are: change default credentials, update firmware, disable remote management, enable WPA3 or WPA2 encryption, and monitor router logs.
- The previous GRU-linked NotPetya attack in 2017 caused an estimated $10 billion in global damages, establishing the unit's capacity for large-scale infrastructure disruption.
What's Next
Managed IT service providers and enterprise security teams are already moving to audit router configurations across their client bases in response to this advisory, and expect that pressure to accelerate over the next 30 to 60 days as organizations formalize their responses. The Federal Communications Commission and the Cybersecurity and Infrastructure Security Agency are likely to issue supplementary guidance for critical infrastructure operators, given the national security framing of the original warning. Consumers who act now by updating firmware and changing default passwords will have materially reduced their exposure before the GRU can exploit whatever fresh vulnerabilities may emerge.
How This Compares
This advisory arrives in the context of a broader, years-long pattern of Russian state actors targeting network edge devices. In 2018, the FBI and Department of Homeland Security warned about a GRU-linked campaign called VPNFilter, which infected more than 500,000 routers across 54 countries with malware capable of disabling the devices entirely. The current campaign appears to use a similar playbook but is aimed at broader espionage rather than destructive capability, which in some ways makes it more dangerous because infected devices stay operational and undetected.
Compare this to the 2021 Microsoft Exchange Server exploitation campaign linked to Chinese state actors, which compromised an estimated 250,000 servers worldwide before patches were widely deployed. Both campaigns share a common thread: attackers targeting infrastructure that organizations treat as a solved problem, something plugged in and forgotten. The router campaign is arguably worse for consumers because enterprise IT teams at least have patching workflows, while home users have no equivalent safety net.
What sets the current GRU campaign apart from commodity cybercrime is the strategic patience involved. Criminal hackers typically want fast monetization through ransomware or credential theft. State intelligence operatives are willing to sit quietly inside a compromised router for months, collecting data and mapping networks for future operations. That long-game approach makes detection harder and raises the stakes considerably beyond what most users associate with router security. Checking your router settings once should not be the end of it. Build it into a regular quarterly habit, the same way you would update your computer's operating system.
FAQ
Q: How do I know if my router has been hacked? A: Log into your router's admin panel, typically by typing 192.168.1.1 or 192.168.0.1 into a browser, and check the connected devices list and the administrator login history. Unexpected devices, unfamiliar admin logins, or configuration changes you did not make are warning signs. If anything looks off, perform a factory reset, update the firmware, and set a new strong password before reconnecting.
Q: What is WPA3 and do I need it to stay safe? A: WPA3 is the newest Wi-Fi encryption standard, released in 2018, and it makes it significantly harder for attackers to crack your wireless password through brute-force attacks. WPA2 is an acceptable minimum if your router does not support WPA3. What you must avoid is WEP, an older standard that provides almost no real protection and should be disabled immediately if your router still offers it as an option.
Q: Does changing my Wi-Fi password protect against this attack? A: Changing your Wi-Fi password helps, but it is not sufficient on its own. The GRU attack targets the router's administrative interface, not just the Wi-Fi network password. You need to change the admin username and password used to log into the router itself, which is a separate credential from the password your phone or laptop uses to connect to your wireless network. Both passwords need to be strong and unique.
Router security has been the neglected middle child of consumer cybersecurity for too long, and a joint FBI and NSA warning is about as loud a wake-up call as the government is capable of issuing. The five steps outlined in the advisory take less than 30 minutes to complete and could meaningfully cut off one of Russia's most active intelligence-gathering pipelines. Subscribe to the AI Agents Daily weekly newsletter for daily updates on AI agents, tools, and automation.
Get stories like this daily
Free briefing. Curated from 50+ sources. 5-minute read every morning.
