Russian spies hijacked thousands of American home routers right under our noses—until the FBI secretly fixed them overnight.
Story Snapshot
- The FBI and DOJ disrupted GRU’s DNS-hijacking network targeting routers in 23 U.S. states.
- GRU Unit 26165 has exploited TP-Link vulnerabilities since 2024 for global espionage.
- Court-authorized operation reset DNS settings, blocking Russian access without user disruption.
- FBI, NSA, and 15 international partners issued an urgent PSA for router security steps.
- Users must update firmware and replace end-of-life devices to prevent future hacks.
GRU’s Router Exploitation Tactics
Russia’s GRU Military Unit 26165, known as APT28 or Fancy Bear, targeted TP-Link SOHO routers using CVE-2023-50224 since at least 2024. Hackers stole credentials, hijacked DNS settings, and redirected traffic to GRU servers.
This enabled espionage against U.S. military, government, and critical infrastructure targets. Thousands of routers worldwide fell victim to compromises, with compromises spanning 23 U.S. states. Home users remained unaware as spies lurked in their networks.
FBI’s Court-Authorized Disruption Operation
FBI Boston and Philadelphia Field Offices executed the operation last week under DOJ authority from the Pennsylvania Eastern District Court. Agents collected evidence, reset DNS to ISP defaults, and blocked GRU access.
The process affected normal functionality minimally and proved reversible via factory reset. Unsealed documents confirm testing on TP-Link hardware and firmware. ISPs received notifications to alert affected users. This marked direct U.S. government intervention in private devices.
Joint Public Service Announcement Details
FBI Cyber Division Assistant Director Brett Leatherman warned unsuspecting Americans in 23 states owned compromised routers. Alongside the NSA and 15 international partners, they released a PSA urging firmware updates, disabling remote management, and replacing end-of-life routers.
The NSA emphasized reviewing telework VPN policies in light of APT28 threats. DOJ stated that defending networks’ demands requires collective action. Users should visit TP-Link for downloads and report suspicions to the FBI’s IC3.
FBI offers urgent guidance on securing home routers after disrupting Russian intelligence hacking network https://t.co/1UuQ6CciVA
— FOX Business (@FoxBusiness) April 15, 2026
Impacts and Long-Term Security Lessons
In the short term, the disruption cut GRU access to U.S. routers and boosted awareness. In the long term, it sets a precedent for court-led remediation, pressuring vendors like TP-Link to provide patches. Economic costs hit users replacing devices; data breaches loomed large.
Politically, it escalates U.S.-Russia cyber tensions, aligning with calls for robust defenses against state adversaries. Common sense demands individuals act—reboots alone fail against persistent threats. Telework demands firewalls and VPNs now.
Sources:
NSA Supports FBI in Highlighting Russian GRU Threats Against Routers
