Various authorities are now issuing warnings that affect users of certain router models. Said routers are reportedly the target of a large-scale hacking campaign by Russian actors. The concerns center around TP-Link routers, although other manufacturers are also said to be affected.
The hacker group “Fancy Bear” (also known as “APT 28”) is believed to be behind the attacks on these routers. In the past, they’ve carried out attacks on companies supporting Ukraine in the war against Russia. They’re also credited with an attack on German air traffic control and on the German SPD party’s headquarters.
This warning (machine translated) from Germany’s domestic intelligence agency states that the group has “infiltrated vulnerable TP-Link internet routers worldwide to obtain military information, government information, or information about critical infrastructure.”
According to Spiegel Netzwelt (also machine translated), certain companies and households were reportedly informed of the threat back in mid-March. The letters contained details regarding affected devices. The FBI and NSA are also said to be involved in the investigations.
What the threat looks like
These router attacks fall under the category of DNS hijacking, where hackers attempt to redirect users to fake websites in hopes that they’ll disclose personal information, passwords, or bank details. Alternatively, users are infected with malware after downloading files.
The hackers are thought to be mainly targeting information that could assist the Russian military intelligence service GRU. In Germany, international investigators have already identified 30 devices that could be abused for this type of attack. The first incidents are said to date back to at least 2024.
How to protect yourself
The attackers are exploiting a known security vulnerability in TP-Link routers, which has already been patched by the manufacturer. Anyone with a TP-Link router should therefore check as soon as possible whether all the latest router firmware updates have been installed.
Also, watch out for typical signs of DNS hijacking:
- Frequent redirects to other websites
- Security warnings from your browser or antivirus software
- Increased frequency of pop-ups and suspicious ads
- Unusually long loading times despite a stable internet connection
- Changed DNS servers (you can check these in your router’s settings)
In similar news, the US government recently banned the import of foreign routers due to fears of espionage and malicious attacks on critical network infrastructure. Although TP-Link has had an American branch for several years, the company originally hails from China and is therefore also affected by the ban.
