The FBI and NSA have jointly disclosed that Russian state-linked actors have been systematically compromising home and small office wireless routers since at least 2024, prompting US authorities to obtain a court order allowing them to remotely reset thousands of affected devices across the country — a move officials say is only a temporary fix.
The FBI and National Security Agency issued a joint warning this week revealing that Russian-linked hackers have been conducting a sustained campaign to infiltrate home and small office (SOHO) routers in the United States, with intrusions dating back to at least 2024.
US authorities, acting under a court order, took the unusual step of remotely resetting thousands of compromised routers without direct action from their owners. The intervention was designed to disrupt the operation and remove malware that had been installed on affected devices. However, federal officials are emphasising that a factory reset does not permanently secure a vulnerable router — and are urging anyone whose device may have been affected to replace it entirely.
What Happened
According to the joint advisory, Russian operatives exploited security weaknesses in widely used router models to establish persistent footholds inside home and business networks. Once compromised, routers can be used to intercept traffic, conduct surveillance, launch further attacks, or serve as anonymising relay points that mask the origin of other malicious activity.
The FBI's remote reset operation — while legally sanctioned — represents a rare instance of US authorities directly accessing privately owned consumer hardware en masse. Officials secured a federal court order before proceeding, citing the scale and severity of the threat.
Why a Reset Isn't Enough
Security experts note that while a factory reset removes active malware, it does not patch the underlying vulnerabilities that allowed the compromise in the first place. If the same router is reconnected to the internet without a firmware update or replacement, it can be re-infected.
The FBI is advising affected users to:
- Replace their router with a newer, supported model
- Ensure their router's firmware is fully up to date
- Change default admin passwords immediately
- Disable remote management features unless strictly necessary
Who May Be Affected
The advisory did not specify which router brands or models were primarily targeted, nor did it provide a definitive list of affected IP addresses. Users who received notification from their internet service provider, or who noticed unusual behaviour on their network in recent months, are encouraged to treat their router as potentially compromised.
Small businesses and home offices — which often run older, unpatched networking equipment without dedicated IT support — are considered particularly vulnerable in campaigns of this nature.
Russian State Involvement
The FBI and NSA attributed the campaign to Russian state-linked actors, consistent with a broader pattern of Russian cyber operations targeting Western infrastructure. US officials did not specify which Russian intelligence service or hacking group was responsible in this instance, though similar router-targeting campaigns have previously been linked to groups associated with Russia's GRU military intelligence agency.
Russia has not publicly responded to the allegations.
Analysis
Why This Matters
- Direct consumer impact: Millions of Americans use SOHO routers that may remain vulnerable even after the FBI's remote reset — meaning ongoing risk to personal data, home networks, and connected devices if hardware is not replaced.
- Unprecedented government action: The FBI remotely accessing privately owned consumer hardware at scale — even with a court order — raises significant questions about legal precedent, privacy, and the boundaries of government cyber intervention.
- Escalating infrastructure targeting: This disclosure fits a broader pattern of Russian cyber operations targeting civilian infrastructure in Western countries, signalling that ordinary households are now part of the geopolitical threat landscape.
Background
Russian state-linked hacking groups have a well-documented history of targeting network infrastructure. In 2018, the FBI and UK authorities jointly warned about a massive Russian campaign — attributed to the Sandworm and Fancy Bear groups — that compromised over 500,000 routers in 54 countries using malware dubbed VPNFilter. That operation similarly required a coordinated takedown effort and public advisory.
SOHO routers have long been considered a weak point in cybersecurity. Unlike enterprise networking equipment, consumer routers are rarely updated, often run outdated firmware for years, and are sold with default credentials that many users never change. This makes them attractive targets for nation-state actors seeking persistent, low-visibility access to networks.
The current campaign, active since at least 2024, appears to follow a similar playbook — establishing quiet, long-term footholds rather than launching immediately destructive attacks. Such access can be used for espionage, traffic interception, or as a launchpad for larger operations.
Key Perspectives
US Federal Authorities (FBI/NSA): Presented the remote reset operation as a necessary and legally sanctioned emergency measure to protect American networks from an active foreign threat. Authorities are stressing urgency around device replacement, suggesting the vulnerability window remains open.
Privacy and Civil Liberties Advocates: While a court order was obtained, the remote access of privately owned consumer hardware without individual user consent sets a notable precedent. Critics may question whether adequate notice was given to affected device owners and what data, if any, was accessed during the reset process.
Cybersecurity Researchers: Generally supportive of the intervention but cautioning that resets without replacement are insufficient. Experts note that the broader issue — millions of unpatched, unsupported routers on American networks — cannot be solved by a single government operation and requires sustained consumer and industry action.
What to Watch
- Official advisories: Look for the FBI and NSA to release a more detailed technical advisory specifying affected router models, firmware versions, and indicators of compromise.
- ISP notifications: Internet service providers may begin contacting customers whose routers were remotely reset — watch for official communications from your ISP in the coming weeks.
- Legislative response: Congress may use this incident to revisit cybersecurity standards for consumer networking equipment, potentially accelerating rules requiring mandatory firmware update support windows for router manufacturers.