The FBI’s IC3 unit (Internet Crime Complaint Center of the US Federal Bureau of Investigation) released a public service announcement on April 30, 2026, to be wary of Russian cyber attacks on personal devices and home networks. While this particular announcement was a warning specific to TP-Link brand routers, the risk and available countermeasures apply to any router and to connected devices in general.
The NSA (US National Security Agency) added that Russian intelligence has indiscriminately compromised a wide pool of US and global victims, especially targeting information related to military, government, and critical infrastructure.
Since at least 2024, Russian GRU 85th Main Special Service Center (85th GTsSS) cyber actors — also known as APT28, Fancy Bear, and Forest Blizzard — have been collecting credentials and exploiting vulnerable routers worldwide, including compromising TP-Link routers using CVE-2023-50224. The GRU actors changed the devices’ dynamic host configuration protocol (DHCP) / domain name system (DNS) settings to introduce actor-controlled DNS resolvers.
Connected devices, including laptops and phones, inherit these modified settings. The actor-controlled infrastructure resolves and captures lookups for all domain names. The GRU provides fraudulent DNS answers for specific domains and services — including Microsoft Outlook Web Access — enabling adversary-in-the-middle (AitM) attacks against encrypted traffic if users navigate through a certificate error warning. These AitM attacks would allow the actors to see the traffic unencrypted.
The GRU has harvested passwords, authentication tokens, and sensitive information including emails and web browsing information normally protected by secure socket layer (SSL) and transport layer security (TLS) encryption. The GRU has indiscriminately compromised a wide pool of U.S. and global victims and then filtered down impacted users, especially targeting information related to military, government, and critical infrastructure.
The FBI and partners have released relevant guidance and technical indicators, including NCSC-UK cybersecurity advisory “APT28 exploit routers to enable DNS hijacking operations” on and CISA’s Edge Device Security webpage.
Users of SOHO routers are encouraged to upgrade end-of-support devices, update to latest firmware versions, change default usernames and passwords, and disable remote management interfaces from the Internet. All users should carefully consider certificate warnings in web browsers and email clients.
Organizations that allow remote work should review relevant policies regarding how employees access sensitive data, such as using VPNs and hardened application configurations. Additionally, organizations may consider incentivizing employees to upgrade outdated personal devices involved in remote access.
CNET provided further advice (link to full article below):
- Regularly update your router’s firmware
- Reboot your router
- Change default usernames and passwords
- Disable remote management
- Use a VPN
The NSA recommends best practices for securing your home network (See below for link to full article)
- “APT28 Exploit Routers to Enable DNS Hijacking Operations”
• “Best Practices for Securing Your Home Network”
• Edge Device Security
• “Reducing the Attack Surface for End-Of-Support Edge Devices”
Why it matters
If you suspect you have been targeted or compromised by a Russian GRU cyber intrusion, report the activity to your local FBI field office or file a complaint with the IC3. Be sure to provide details about your router, including device type and DHCP configurations.
The U.S. Department of Justice and the FBI recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used to facilitate malicious DNS hijacking operations. The FBI and the following partners are releasing this announcement to warn the public and encourage network defenders and device owners to take actions to remediate and reduce the attack surface of similar edge devices.
Further reading
Russian GRU exploiting vulnerable routers to steal sensitive information. Alert Number: I-040726-PSA. Public Service Announcement. April 7 2026. FBI IC3 (Internet Crime Complaint Center)
NSA supports FBI in highlighting Russian GRU threats against routers. Press release. April 7, 2026. National Security Agency Central Security Service.
5 steps the FBI wants you to take to secure your router right now. Article. May 10, 2026. CNET
