FTFuture Technology
SECURITY

Russia's State Hackers Are Targeting Your Router, US Government Warns

· 3 min read · By Nath Connell

Key takeaways

  • Russian GRU-linked actors are compromising consumer and small business routers to build proxy infrastructure for state-sponsored operations
  • Common attack vectors include unpatched firmware, default admin credentials, and exposed remote management interfaces
  • Routers over five years old with no manufacturer firmware updates should be replaced as they present persistent vulnerability

The US government has issued a fresh warning that Russian state-sponsored hackers are actively targeting home and small business routers. If that sounds like a headline from 2018, that's because it kind of is. But the fact that it keeps happening, and that it keeps working, is exactly the problem.

According to the advisory, which was flagged by Ars Technica this week, Russian intelligence-linked threat actors are compromising routers as part of broader campaigns to build out proxy infrastructure. The idea is straightforward: if you control a router sitting in someone's home in, say, Ohio or Manchester, you can route malicious traffic through it and make it look like it's coming from a legitimate residential connection. That makes detection and attribution significantly harder for defenders.

Who Is Actually Doing This

The advisory points to actors associated with Russian military intelligence, the GRU. Groups operating under names like Sandworm and APT28 have been linked to similar campaigns in previous years, and router exploitation has been a consistent part of their toolkit. These are not casual criminals looking for an easy payday. These are well-resourced, patient, state-sponsored teams whose goals include espionage, pre-positioning for future disruption, and undermining trust in critical infrastructure.

The targets are not exclusively government networks or military systems. The whole point of compromising consumer routers is that they are everywhere, relatively poorly secured, and rarely monitored. Most people have no idea what firmware version their router is running, let alone whether it has been patched against known vulnerabilities in the last six months.

What Makes Routers Such an Easy Target

Routers are genuinely hard to defend at scale. Many consumer devices run embedded Linux with firmware that manufacturers update infrequently, and users update almost never. Default admin credentials are still in widespread use. Remote management interfaces that should be disabled are often left open. And unlike a laptop or phone, your router doesn't give you a notification saying "hey, something weird is happening on your network."

Common vulnerabilities being exploited include unpatched firmware bugs, exposed web management panels, and weak or default passwords. Once an attacker has access to a router, they can redirect DNS queries, intercept traffic, install persistent backdoors, or simply use the device as a stepping stone into the broader network behind it.

The future, in 3 minutes a day. The biggest tech story explained every morning, free. Get the briefing →

Small and medium businesses are particularly exposed here. A company running ten or twenty people out of an office may be using a consumer-grade router that nobody has touched since it was set up three years ago. That is exactly the kind of device these campaigns are looking for.

What You Should Actually Do

The good news is that the mitigations here are not complicated. They are just boring, which is why most people skip them.

First, update your router firmware. Log in to your router's admin panel (usually at 192.168.1.1 or 192.168.0.1), find the firmware section, and check for updates. If your router is more than five years old and the manufacturer has stopped releasing patches, consider replacing it. Second, change the default admin username and password immediately if you haven't already. Third, disable remote management if you don't need it. Most home users have no reason for their router's admin interface to be accessible from the internet. Fourth, check whether UPnP (Universal Plug and Play) is enabled and disable it if so. It's a common attack surface that rarely needs to be on.

For businesses, the bar is higher. Network segmentation, regular firmware audits, and centralised monitoring are worth the investment. If you are running a flat network where every device can reach every other device, a compromised router is a very serious problem.

The uncomfortable truth is that this kind of infrastructure-level espionage is persistent and largely invisible. Russian state actors didn't start doing this last week and they won't stop next week. Building better habits around the devices that sit at the edge of your network is one of the few things individuals and small organisations can actually do about it.

Get the briefing, free

The biggest tech story, explained in 3 minutes every weekday. Choose your briefings →

Free. No spam. Unsubscribe in one click.