Author:
Beau Dickie, Chief Information Security Officer
If
you use a home router for work, this
warning matters to you.
The
latest joint guidance from the FBI, NSA, and international partners says
Russian GRU actors have been exploiting vulnerable small office and home office
routers to manipulate DNS and DHCP settings, redirect traffic, and harvest
passwords, authentication tokens, emails, and browsing data. This is not just
an enterprise issue. It is a home-office issue, a remote-work issue, and a
business-risk issue created by vulnerable SOHO devices at the edge of the
network.
In
MSP environments, I routinely see edge devices excluded from normal patch
cycles, reviewed less often than laptops and servers, and treated more like
utilities than security assets. That gap is exactly why this kind of warning
deserves attention. The router may sit quietly in the background, but it can
still become the doorway to much bigger problems. This is especially true when
a home office or small branch network is being used to access company email, cloud
platforms, and sensitive business data.
Quick Summary
What
happened: Russian
GRU actors exploited vulnerable SOHO routers, overwrote DHCP and DNS
settings, and enabled adversary-in-the-middle attacks that could expose
passwords, tokens, and other sensitive data.
Why it matters: A compromised home or small-office router can create business risk when it is used for remote work, cloud access, or business communications.
What to do today: Reboot the router as a simple first step, then verify support status, update firmware, review DNS and DHCP settings, change admin credentials, and disable unnecessary remote management.
Who This Applies To
This
applies to small
and midsize businesses, remote workers, home offices, small branch
locations, and anyone using a home or SOHO router to reach business systems. It
also applies to MSP clients and IT leaders trying to understand whether
business risk may be entering through home networks or smaller unmanaged edge
devices rather than through traditional enterprise appliances. The federal
guidance specifically points organizations with telework users toward reviewing
remote access practices and how sensitive data is being accessed outside the office.
What Happened
According
to the
April 7 public service announcement, Russian GRU actors, also known as
APT28, exploited vulnerable routers by changing DHCP and DNS settings so
devices behind those routers would use attacker-controlled DNS resolvers. Once
that happened, the attackers could capture DNS lookups and return fraudulent
DNS responses for selected services, including Microsoft Outlook Web Access. If
a user clicked through a certificate warning, that opened the door to
adversary-in-the-middle activity against traffic the user expected to be
protected.
That
matters because this is not just about internet
connectivity. It is about trust. If the router has been compromised, the
attacker may be able to influence the traffic before many downstream
protections ever have a chance to work. The advisory says these operations
enabled the theft of passwords, authentication tokens, emails, and browsing
information that would normally be protected by SSL or TLS encryption.
Why This Matters for Businesses
When
I talk about business risk here, I do not mean only large corporate edge
appliances. I mean the risk businesses inherit when employees, executives, and
hybrid teams use vulnerable home and small-office routers to access work
systems. The home router is no longer separate from the security conversation
if it is part of how your people do business.
That
is one of the biggest mindset shifts I would encourage. Businesses often put
real effort into securing laptops, identity platforms, email, and cloud apps.
All of that matters. But if the edge device feeding those sessions is outdated,
misconfigured, or exposed, you may have a blind spot sitting right in front of
the rest of your security stack.
How To Tell If You May Be Affected
At
a high level, start with a few practical questions.
- Is your router still supported by the manufacturer, or is it end-of-life?
- Is the firmware current?
- Do the DNS and DHCP settings look correct?
- Is remote management exposed to the internet when it does not need to be?
- Are there unexpected DNS resolvers configured anywhere in the device?
- Have there been unfamiliar changes to admin access or router settings?
The
official guidance points users toward checking support status, applying
firmware updates, changing default credentials, and disabling internet-exposed
management interfaces when not needed. The UK NCSC advisory also emphasizes
router exploitation that overwrites DHCP and DNS settings to redirect traffic
through attacker-controlled servers.
What To Do Today
If
you use a home router for work, take action now.
1.
Reboot the router
A
reboot is a simple immediate step. It is not the full fix, but it is an easy
place to start while you move through the more important validation and
remediation steps below.
2.
Check whether the router is still supported
If
the device is end-of-life or end-of-service, replace it. Unsupported edge
devices create avoidable risk, especially when they are part of remote work or
small-office operations.
3.
Update firmware
Apply
the latest available firmware from the manufacturer. The federal guidance is
clear that unpatched and unsupported devices are a real part of this problem.
4.
Change router admin credentials
If
the router still uses default credentials, weak credentials, or old credentials
that may have been reused elsewhere, change them immediately.
5.
Review remote management exposure
If
the management interface is exposed to the public internet and there is no
clear reason for that, disable it. Remote administration should not be open by
default.
6.
Verify DNS and DHCP settings
Look
closely at the router's DNS and DHCP configuration. If the device is pointing
to unfamiliar DNS resolvers, that deserves immediate attention. The core of
this activity involved manipulating those settings to redirect traffic.
7.
Take certificate warnings seriously
Do
not click through certificate errors casually. The advisory specifically warns
that users who navigate through certificate warning pages may expose encrypted
traffic to adversary-in-the-middle interception.
8.
Lock down DNS at a high level
Once
you have verified the correct DNS settings, keep them that way. The point is
not to create a complicated project. It is to make sure your router is using
expected resolvers, not attacker-controlled ones, and to reduce the chance of
unnoticed DNS manipulation going forward.
What To Do If You Suspect Compromise
If you
think the router may have been tampered with, move quickly.
Isolate
the device if needed. Change the admin credentials. Update firmware. Review DNS
and DHCP settings carefully. Disable unnecessary remote management. If the
device is outdated, unsupported, or behaving in a way you do not trust, replace
it. In some cases, a factory reset followed by a secure reconfiguration may be
the safest path. The DOJ says legitimate users can restore desired settings
through the router management page or by using a factory reset.
After
that, rotate passwords and tokens for any services that may have been exposed,
especially email and other business systems. Review logs where available.
Contact your ISP, your internal IT
team, or your MSP to validate the environment. The NSA and FBI also direct
suspected victims to report activity through FBI field offices or IC3.
A Note on Affected Devices and Model Specificity
Some
public reporting has pointed to TP-Link devices and CVE-2023-50224. The most
careful way to say that is this: the activity has been associated with some
legacy TP-Link models affected by CVE-2023-50224, and TP-Link's own update
emphasizes that the impacted models are legacy end-of-service or end-of-life
devices and that current public lists may not be exhaustive. That is an
important distinction, because the broader lesson is not about one brand alone.
It is about outdated SOHO routers that have fallen outside normal support and
patching cycles.
A Note for Our Managed Clients
If
Vector Choice manages your business firewall, router, or edge security
environment, our team is actively monitoring for relevant activity and
reviewing devices under our management. If you have questions about your
business network, remote access setup, or exposure created by home networks
used for work, reach out to our team
directly.
For Everyone Else
If
you are not currently a managed client, this is a good time for a router audit or edge-device
review. That can include checking support status, validating DNS and remote
management settings, identifying end-of-life hardware, and making sure
home-office and small-office devices are not being overlooked simply because
they are outside the main office. The quieter a problem can be, the more
disciplined the review process needs to be.
Final Takeaway
A
trusted network starts at the edge, not after it.
If
your home router is used for work, do not treat it like background equipment.
Reboot it, review it, confirm that it is still supported, and make sure it is
securely configured. For businesses with remote workers or hybrid teams, router
security should be part of the conversation now, because SOHO router exposure
can become business exposure very quickly.
Citations:
National
Security Agency. (2026, April 7). NSA supports FBI in
highlighting Russian GRU threats against routers. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4453919/nsa-supports-fbi-in-highlighting-russian-gru-threats-against-routers/
Federal
Bureau of Investigation, National Security Agency, & partner agencies.
(2026, April 7). Russian GRU exploiting
vulnerable routers to steal sensitive information (Alert No. I-260407-PSA) [Public service announcement]. https://media.defense.gov/2026/Apr/07/2003907743/-1/-1/0/I-260407-PSA.PDF
U.S. Department of Justice, Office of Public Affairs.
(2026, April 7). Justice Department conducts court-authorized
disruption of DNS hijacking network controlled by a Russian military
intelligence unit. https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-dns-hijacking-network-controlled
