The FBI just remotely reset thousands of home and small office routers – and your TP-Link could be on the hitlist

News
By published

Thousands of routers were just reset by the FBI

FBI
(Image credit: Bleepingcomputer)
  • The FBI has remotely reset thousands of routers
  • The Russian GRU had compromised end-of-life devices
  • Routers that have been reset should be replaced, and network setting checked

The FBI have remotely reset thousands of home and small office routers after releasing a joint press release detailing how Russia has been compromising devices.

Some brands of routers are known for lasting upwards of a decade, and while that's great for the consumer, the developers will often stop releasing updates to keep the router secure.

This leaves them open to compromise by attackers, specifically Russia’s Main Directorate of the General Staff (GRU), tracked as APT28 or Fancy Bear, which has been snooping on unsecured routers since at least 2024, the FBI said.

Latest Videos From

Time to replace your router

If your device is included in the list of compromised devices (listed below), and you have found that it has been reset, the FBI and NSA recommend that you replace your router as soon as possible.

The GRU could be snooping on unsecured routers to intercept sensitive internet traffic, including credentials and authentication tokens that can be used to compromise personal and work accounts. In particular, GRU has been targeting routers belonging to workers in the military, government, and critical infrastructure industries.

“The FBI, NSA, and co-sealing agencies encourage SOHO router users to change default usernames and passwords, disable remote management interfaces from the Internet, update to latest firmware versions, and upgrade end-of-support devices. Users should also carefully consider certificate warnings in web browsers and email clients,” the NSA said.

Additionally, the FBI and NSA recommended that employees use a VPN when accessing sensitive information. Those that suspect they may have been compromised by the GRU should contact their local FBI field office and file a complaint with the Internet Crime Complaint Center (IC3).

A press release published by the US Justice Department detailed that the FBI had created a series of commands that, with court-authorization, it could send to compromised routers.

The commands were “designed to collect evidence regarding the GRU actors’ activity, reset DNS settings (i.e., remove GRU DNS resolvers and force routers to obtain legitimate DNS resolvers from their Internet Service Providers (ISP)), and to otherwise prevent the GRU actors from exploiting the original means of unauthorized access.”

The Justice Department added that the operation did not interfere with the normal functions of the router, nor did it collect any legitimate user data.

The full list of targeted routers includes:

  • TP-Link TL-WR841N
  • TP-Link LTE Wireless N Router MR6400
  • TP-Link Wireless Dual Band Gigabit Router Archer C5
  • TP-Link Wireless Dual Band Gigabit Router Archer C7
  • TP-Link Wireless Dual Band Gigabit Router WDR3600
  • TP-Link Wireless Dual Band Gigabit Router WDR4300
  • TP-Link Wireless Dual Band Router WDR3500
  • TP-Link Wireless Lite N Router WR740N
  • TP-Link Wireless Lite N Router WR740N/WR741ND
  • TP-Link Wireless Lite N Router WR749N
  • TP-Link Wireless N 3G/4G Router MR3420
  • TP-Link Wireless N Access Point WA801ND
  • TP-Link Wireless N Access Point WA901ND
  • TP-Link Wireless N Gigabit Router WR1043ND
  • TP-Link Wireless N Gigabit Router WR1045ND
  • TP-Link Wireless N Router WR840N
  • TP-Link Wireless N Router WR841HP
  • TP-Link Wireless N Router WR841N
  • TP-Link Wireless N Router WR841N/WR841ND
  • TP-Link Wireless N Router WR842N
  • TP-Link Wireless N Router WR842ND
  • TP-Link Wireless N Router WR845N
  • TP-Link Wireless N Router WR941ND
  • TP-Link Wireless N Router WR945N

The Justice Department included a list of remediations for all routers:

  1. Replace End-of-Life and End-of-Support routers;
  2. Upgrade to the latest available firmware;
  3. Verify the authenticity of DNS resolvers listed in router settings; and
  4. Review and implement firewall rules to prevent the unwanted exposure of remote management services.

“Operation Masquerade – led by FBI Boston – is the latest example of how we’re defending our homeland from Russia’s GRU which weaponized routers owned by unsuspecting Americans in more than 23 states to steal sensitive government, military, and critical infrastructure information,” said Special Agent in Charge Ted E. Docks of the FBI’s Boston Field Office.

“The FBI utilized cutting edge technology and leveraged our private sector and international partners to unmask this malicious activity and remediate routers. Now we’re asking everyone who has a router to secure it, update its firmware, and replace it if needed. By working together, we can guard against nefarious nation state actors trying to compromise our national security.”

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.