Tech Intelligence

US and UK warn of increasing risks from overlooked home routers as Russian hackers exploit vulnerabilities

Friday, 1 May 2026 9:03AM UTC

U.S. and British agencies raise alarms over the security of everyday routers following revelations of Russian cyber espionage activities exploiting known device vulnerabilities, urging simple yet critical safeguarding measures for households and small offices.

U.S. and British cyber agencies are again warning that one of the most overlooked devices in homes and small offices may also be one of the easiest to exploit: the internet router. In April, the National Security Agency said it supported an FBI public service announcement after U.S. and international law enforcement disrupted a network of compromised small-office and home-office routers tied to malicious hijacking activity.

The concern is not theoretical. According to the NSA, Russian military intelligence hackers have been collecting credentials and abusing vulnerable routers worldwide, including some TP-Link devices affected by a known flaw. The FBI said the routers were being used in DNS hijacking schemes, in which internet traffic is quietly diverted through attacker-controlled systems, making it possible to steal passwords, authentication tokens and other sensitive information.

The Justice Department and FBI said their court-authorised disruption targeted the U.S. portion of a broader router network linked to Russia’s GRU Military Unit 26165, better known as APT28, Fancy Bear or Forest Blizzard. The agencies said the compromised devices were being used against targets of intelligence interest, including people in the military, government and critical infrastructure sectors. The NSA had already warned in 2024 that the same unit was using compromised routers to harvest credentials, proxy traffic and host spearphishing pages.

For ordinary users, the message is to treat the router as a front door, not an afterthought. The NSA’s earlier home-network guidance and the latest warning both point to the same basic defences: reboot the router, install firmware updates, replace default administrator credentials, disable remote management unless it is genuinely needed and retire devices that no longer receive support. The agency says teleworkers should also make sure home access to employer systems is properly hardened, including through VPNs where appropriate.

The latest alert is less a call for alarm than for maintenance. A router that is patched, properly locked down and still supported by its maker is far harder to abuse than one left on autopilot for years. For households, churches, charities and small businesses alike, the practical fix may be as simple as closing the digital door before anyone tries the handle.

Source Reference Map

Inspired by headline at: ^[1]

Sources by paragraph:

Paragraph 1: ^[2], ^[3]
Paragraph 2: ^[2], ^[3], ^[4]
Paragraph 3: ^[4], ^[6]
Paragraph 4: ^[5], ^[2]
Paragraph 5: ^[2], ^[5]

Source: Noah Wire Services

More on this

https://baltimoretimes-online.com/living-well/2026/05/01/your-router-may-be-the-front-door-hackers-are-trying-to-open/ - Please view link - unable to able to access data
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4453919/nsa-supports-fbi-in-highlighting-russian-gru-threats-against-routers/ - In April 2026, the National Security Agency (NSA) and other agencies co-sealed a Federal Bureau of Investigation (FBI) public service announcement, 'Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information,' to encourage further defensive actions. The U.S. Department of Justice, FBI, and international law enforcement partners recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used as part of malicious hijacking operations. All device owners and network defenders are encouraged to take action to remediate and reduce the attack surface of similar edge devices. Russian GRU 85th Main Special Service Center (85th GTsSS) cyber actors — also known as APT28, Fancy Bear, and Forest Blizzard — have collected credentials and exploited vulnerable routers worldwide, including compromising TP-Link routers using CVE-2023-50224.
https://www.fbi.gov/investigate/cyber/alerts - The FBI's Cyber Alerts page provides information on various cyber threats and vulnerabilities. Notably, on April 7, 2026, the FBI announced a court-authorized technical operation to neutralize the U.S. portion of a network of small office/home office (SOHO) routers compromised by a unit within Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. The unit used the routers to facilitate malicious Domain Name System (DNS) hijacking operations against worldwide targets of intelligence interest to the Russian government, including individuals in the military, government, and critical infrastructure sectors.
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3688119/russian-cyber-actors-use-compromised-routers-to-facilitate-cyber-operations/ - In February 2024, the NSA, in collaboration with the FBI and other agencies, published a Cybersecurity Advisory (CSA) titled 'Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations.' The advisory outlines observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation recommendations for EdgeRouter users and other network defenders. The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, also known as APT28, Fancy Bear, and Forest Blizzard, has used compromised Ubiquiti EdgeRouters to harvest credentials, collect digests, proxy network traffic, and host spearphishing landing pages and custom tools.
https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3304674/nsa-releases-best-practices-for-securing-your-home-network/ - In February 2023, the NSA released the 'Best Practices for Securing Your Home Network' Cybersecurity Information Sheet (CSI) to help teleworkers protect their home networks from malicious cyber actors. The guide includes recommendations for securing routing devices, implementing wireless network segmentation, ensuring confidentiality during telework, and more. Spearphishing, malicious ads, email attachments, and untrusted applications can present concerns for home internet users. NSA not only shows teleworkers how to secure their home networks, but also provides tips for staying safe online.
https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-dns-hijacking-network-controlled - On April 7, 2026, the Department of Justice and the FBI announced a court-authorized technical operation to neutralize the U.S. portion of a network of small office/home office (SOHO) routers compromised by a unit within Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. The unit used the routers to facilitate malicious Domain Name System (DNS) hijacking operations against worldwide targets of intelligence interest to the Russian government, including individuals in the military, government, and critical infrastructure sectors.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 3

Notes: The article references events from April 2026, with the latest being a press release from the NSA dated April 7, 2026. The article was published on May 1, 2026, indicating a delay of approximately three weeks. This delay is significant for cybersecurity news, where timeliness is crucial. Additionally, the article appears to be a summary of existing press releases and news reports, lacking original reporting or new insights. This suggests the content may be recycled, reducing its freshness score. The earliest known publication date of similar content is April 7, 2026, aligning with the NSA's press release. The narrative has been republished across various platforms, including low-quality sites and clickbait networks, which raises concerns about its originality. The article is based on a press release, which typically warrants a high freshness score; however, the lack of original reporting and the recycling of content from other sources diminish this score. The presence of different figures, dates, and quotes in earlier versions further indicates discrepancies and potential issues with the content's originality. Given these factors, the freshness score is reduced to 3.

Quotes check

Score: 2

Notes: The article includes direct quotes from the NSA and FBI press releases. However, these quotes are not independently verified and appear to be reused from the original press releases. The lack of independent verification and the reuse of quotes from the original sources raise concerns about the authenticity and originality of the content. No online matches were found for the earliest known usage of these quotes, indicating they may not have been independently verified. Given these issues, the quotes score is reduced to 2.

Source reliability

Score: 4

Notes: The article originates from The Baltimore Times, a niche publication with limited reach. While it is a known source, its credibility is not as established as major news organisations. The content appears to be summarising, rewriting, or aggregating information from other sources, including press releases from the NSA and FBI. This lack of original reporting and reliance on secondary sources diminishes the reliability of the article. Given these factors, the source reliability score is reduced to 4.

Plausibility check

Score: 5

Notes: The claims made in the article align with known information about Russian GRU cyber actors exploiting vulnerable routers. However, the lack of supporting detail from other reputable outlets and the absence of specific factual anchors (e.g., names, institutions, dates) raise concerns about the plausibility of the content. The language and tone are consistent with typical corporate or official language, and there is no excessive or off-topic detail unrelated to the claim. Given these factors, the plausibility score is 5.

Overall assessment

Verdict (FAIL, OPEN, PASS): FAIL

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The article fails to meet verification standards due to its reliance on recycled content, lack of original reporting, unverified quotes, and dependence on non-independent sources. The freshness, quotes, source reliability, content type, and verification independence scores are all low, indicating significant concerns about the article's credibility. Given these issues, the overall assessment is a FAIL with HIGH confidence.

cybersecurity
internet security
home network