TP-Link Router Hack Alert: Is Fancy Bear Targeting Your Home Network?

Hussein Mohamed
Home

TP-Link Router Hack Alert: Is Fancy Bear Targeting Your Home Network?

A sophisticated Russian state-sponsored hacking group known as Fancy Bear (APT28) is actively exploiting vulnerable consumer Wi-Fi routers. According to a rare joint emergency alert from Microsoft Threat Intelligence, the UK National Cyber Security Centre (NCSC), and Germany’s Federal Office for Information Security (BSI), at least 23 specific TP-Link models are in their crosshairs. If you own an older or "end-of-life" TP-Link router, your home network, personal data, banking credentials, and even two-factor authentication codes could be stolen in real time.

This in-depth guide—referencing original reporting by PCMag senior reporter Michael Kan—goes far beyond the headlines. You will learn exactly which devices are targeted, the step-by-step mechanics of the attack, how to check for compromise, and a detailed, actionable plan to secure your network immediately.

Why This Is Not a Drill: A Coordinated Government Warning

On April 7, 2026, Microsoft revealed that its Threat Intelligence teams have identified over 200 organizations and 5,000 consumer devices actively compromised since at least August 2025. The attackers are affiliated with Russian military intelligence (GRU), a group known in the cybersecurity world as Fancy BearAPT28, or Sofacy. This is the same group behind the 2016 Democratic National Committee email breach and countless global cyber-espionage campaigns.

What makes this warning different from routine security advisories is its source: a synchronized announcement from the UK's NCSC, the US Department of Justice, the FBI’s Cyber Division, and Germany’s BSI. Assistant Director Brett Leatherman of the FBI’s Cyber Division stated unequivocally: “We urge all router owners to take the remediation steps outlined today, because defending our networks requires all of us.”

The US Justice Department has already executed court orders to neutralize compromised routers inside America by sending remote commands to boot the Russian hackers out. However, that intervention is temporary. A simple factory reset by the user—or a power cycle—can undo the government’s fix, leaving the router vulnerable again. Permanent protection requires you to act.

Exactly Which TP-Link Routers Are Being Targeted

The NCSC published a specific list of affected TP-Link products. Critically, more than half of them have reached "end-of-life" (EOL) status. An EOL router is no longer sold by TP-Link and, more importantly, receives no new software updates or security patches. Once a vulnerability is discovered in an EOL device, it remains unpatched forever.

The most notorious model on the list is the TP-Link TL-WR841N. This router was first released nearly two decades ago. While version v14 is still sold in some markets, versions v1 through v13 are end-of-life. The original PCMag report notes that this specific model is affected by CVE-2023-50224, a vulnerability disclosed two years ago that allows remote code execution without a password.

Other confirmed targeted models include the TL-WR940NTL-WR941NDArcher C5Archer C7 (older hardware revisions), TL-WR740NTL-WR741NDTL-WR1043NDTL-WR2543NDTL-MR3420, and TL-MR3220. This is not an exhaustive list; the NCSC advisory contains 23 total models, and Microsoft warns that other legacy devices with similar firmware may also be vulnerable.

If your router is more than five to seven years old, even if it is not explicitly named, assume it is at risk. The hackers are scanning for any device that responds to known exploits, not just those on a published list.

The Technical Mechanics of a Fancy Bear Router Hijack

Understanding how the attack works is essential to recognizing and preventing it. This is not a simple malware infection on your computer. Instead, the router itself becomes a weapon against you.

Stage One: Exploitation of Known Vulnerabilities

Fancy Bear primarily leverages CVE-2023-50224, which affects the web-based management interface of certain TP-Link routers. This flaw allows an unauthenticated remote attacker to execute arbitrary commands on the router’s operating system. In plain English: the hacker can send a specially crafted web request to your router’s IP address, and the router will obey it without asking for a password.

Additional vulnerabilities exploited in this campaign include CVE-2019-7406 (a remote command injection flaw) and CVE-2021-27239 (an authentication bypass). Because end-of-life routers never receive patches, these security holes remain open indefinitely. The attackers do not need to "break in" — they simply walk through an unlocked door.

Stage Two: DNS Hijacking for Credential Theft

Once inside, the hackers overwrite your router’s Domain Name System (DNS) settings. DNS is the internet’s phonebook: it translates human-readable domain names like yourbank.com into machine-readable IP addresses. When an attacker controls your DNS, they control where your internet traffic goes.

Instead of using your Internet Service Provider’s legitimate DNS servers, your router is reconfigured to use hacker-controlled DNS servers. When you type mail.google.com or yourcompanyvpn.com, those malicious DNS servers can return the IP address of a fake website that looks identical to the real one.

Because the fake site is convincing and your browser shows the correct URL in the address bar (thanks to more advanced redirection techniques), you enter your username, password, and even the six-digit two-factor authentication code from your phone. The hackers capture all of it in real time and then silently redirect you to the real site, where you log in successfully, never knowing your credentials were just stolen.

As the UK NCSC explains in their advisory: “Lookups for domain names containing key terms associated with particular services, often email applications or login pages, would then be resolved by the malicious DNS servers to further actor-owned IP addresses.”

Stage Three: Intelligence Profiling

Unlike indiscriminate ransomware attacks, Fancy Bear is selective. They are not after your Netflix password. According to German intelligence officials cited by PCMag, the group profiles victims for intelligence value. This means they are particularly interested in:

  • Employees of government contractors or defense firms who work from home

  • Journalists covering Russian affairs

  • Political activists and think tank members

  • Energy sector professionals

  • Logistics and supply chain managers for Ukraine-related aid

If you fall into any of these categories, your compromised router is not just a nuisance—it is a national security risk.

Five Signs That Your Router May Already Be Hacked

Because DNS hijacking is invisible to most users, you need to perform specific checks. Do not rely on "everything seems fine" as a measure of safety.

1. Unfamiliar DNS Server Addresses in Your Router Settings

Log into your router’s administration panel. For most TP-Link routers, this is done by typing 192.168.0.1 or 192.168.1.1 into a web browser. Enter your admin username and password (if you have never changed it, it is likely admin with a password of admin or blank — which is a critical vulnerability on its own).

Navigate to the Network or Internet settings section. Look for fields labeled DNS ServerPrimary DNS, or Secondary DNS. If these are set to specific numerical addresses that you do not recognize (and are not your ISP’s automatic DNS or a known service like 8.8.8.8 from Google or 1.1.1.1 from Cloudflare), your router has likely been hijacked.

2. Repeated or Unexpected Login Prompts for Email and Banking

Have you been asked to log into your email account on a device that has always stayed logged in? Are you seeing two-factor authentication requests for services you did not actively try to access? These are classic signs that a fake login page is being interposed between you and the real service.

3. Your Router’s Admin Password No Longer Works

If you set a custom admin password for your router but suddenly cannot log into the admin panel, an attacker may have changed it to lock you out. This is a severe indicator of compromise.

4. Unfamiliar Devices in Your Network Client List

Within the router’s admin panel, look for a section called DHCP Client ListAttached Devices, or Wireless Statistics. If you see MAC addresses or device names you do not recognize—especially devices that are active when everyone in your home is asleep—an attacker may have established persistence.

5. Slow or Unstable Internet Performance

Because the hackers are rerouting your traffic through their own servers before sending it to its final destination, you may experience higher latency (slow page loads), intermittent disconnections, or unusually high data usage. While slow internet has many causes, in combination with any of the above signs, it is a strong indicator of compromise.

Immediate Mitigation: A Step-by-Step Action Plan

The FBIUK NCSC, and Germany’s BSI all agree on the following actions. Do not skip steps. Do not delay.

Step 1: Identify Your Exact Router Model and Hardware Version

Flip your router over and look for a sticker. You will see a model number (e.g., TL-WR841N) and often a hardware version (e.g., Ver: 1.0, Ver: 14). Write these down. If the sticker is unreadable, log into the admin panel; the model and firmware version are usually displayed on the status page.

Step 2: Check End-of-Life Status

Go to the official TP-Link support website. Search for your model. If the latest firmware update was released more than two years ago, or if the product page contains language like "End of Life" or "Discontinued," your router is EOL.

If your router is end-of-life, replace it immediately. Do not attempt to "clean" it. Do not perform a factory reset and continue using it. A factory reset removes the hacker’s current DNS changes, but it does not patch the underlying vulnerability. The router can be re-hacked within hours. According to the US Department of Justice, even their court-ordered cleanup can be reversed by a simple factory reset performed by the user. Only a new, supported router provides lasting security.


Recommended replacement models (actively supported with regular security patches):

Step 3: If Your Router Is Still Supported, Manually Update the Firmware

TP-Link offers automatic firmware updates only on newer Archer models. For all other routers—including many that are still technically supported—you must update manually.

  1. Go to the TP-Link Support & Downloads page.

  2. Enter your exact model number and hardware version.

  3. Download the latest firmware file (look for a release date within the last 12 months).

  4. Log into your router admin panel, navigate to System Tools → Firmware Upgrade, upload the file, and wait for the router to reboot. Do not interrupt the process.

Step 4: Change Your Router Admin Password to a Strong, Unique Credential

If you have never changed your admin password, assume it is compromised. Create a password that is at least 12 characters long and includes uppercase letters, lowercase letters, numbers, and symbols. Do not reuse a password from any other website or service. Store this password in a password manager such as Bitwarden or 1Password.

Step 5: Disable Remote Management Immediately

Remote management (sometimes called "WAN-side access" or "Access from WAN") allows you to log into your router from anywhere on the internet. This feature is convenient for advanced users but is a direct invitation to attackers. In your router’s admin panel, find Remote ManagementWAN Access, or Access Control and disable it completely. After disabling, verify that you cannot access the login page from your smartphone’s cellular connection (not connected to your Wi-Fi).

Step 6: Reset DNS to Automatic or a Trusted Secure Provider

In your router’s Internet or WAN settings, change the DNS setting to Obtain DNS Server Address Automatically (this uses your ISP’s DNS). For enhanced security and privacy, you may instead manually enter:

  • Cloudflare DNS: 1.1.1.1 and 1.0.0.1

  • Quad9 DNS: 9.9.9.9 (blocks known malicious domains)

After saving the DNS change, power-cycle your router (unplug for 30 seconds, then plug back in) and reboot every connected device (computers, phones, smart TVs).

Step 7: Perform a Factory Reset as a Cleanup Measure (Then Update Again)

If you suspect active compromise, perform a factory reset by pressing and holding the small reset button on the back of the router for 10 seconds. This will clear any malicious settings. However, remember that a factory reset returns the router to its original, outdated firmware. Immediately after the reset, repeat Step 3 (firmware update) before reconnecting any sensitive devices.

What About MikroTik Routers and Other Brands?

While this campaign focuses on TP-Link, the UK NCSC also detected Russian hackers targeting "a small number of MikroTik routers, often located in Ukraine, that were likely of intelligence value to the actor." If you use a MikroTik router, update its RouterOS firmware to the latest version and follow the same DNS security steps outlined above.

For users of AsusNetgear, or Linksys routers: you are not the primary target of this specific campaign, but the underlying principle applies. Any router that no longer receives security updates is a ticking time bomb. Check your manufacturer’s support page for your model. If the last firmware update was more than two years ago, replace the router.

The Geopolitical Context: Why This Is Happening Now

This disclosure comes at a sensitive moment. The US Federal Communications Commission (FCC) recently enacted a controversial ban on new foreign-made router models, citing the threat of supply chain vulnerabilities. While the ban affects all consumer router manufacturers—most of which manufacture in Asia—the timing of the Fancy Bear disclosure has intensified scrutiny on TP-Link, a Chinese company that dominates the consumer router market.

PCMag notes that TP-Link did not immediately respond to a request for comment. This silence is notable given the severity of the warnings from three governments and Microsoft.

The Russian government, for its part, has not acknowledged the Fancy Bear campaign. However, the GRU’s long-standing interest in network infrastructure as a persistence mechanism is well documented by cybersecurity researchers.

Long-Term Router Security Best Practices

Beyond this specific threat, adopting a security-first mindset for your home network will protect you from future attacks.

Automate Firmware Updates Where Possible

When purchasing a new router, prioritize models that offer automatic security updates without requiring manual intervention. The TP-Link Archer AX series and Google Nest WiFi are examples of products that handle updates seamlessly.

Change Default Admin Credentials on Day One

The default admin / admin combination is the single most common way routers are compromised. As soon as you set up a new router, change the admin username (if allowed) and always change the password.

Disable Universal Plug and Play (UPnP)

UPnP is designed to make it easy for devices to open ports on your router automatically. It is also a major security risk because malware can use UPnP to create its own holes in your firewall. In your router’s advanced settings, find UPnP and disable it unless you have a specific, ongoing need (such as certain gaming consoles). Even then, enable it only temporarily.

Regularly Audit Connected Devices

Once a month, log into your router and review the list of connected devices. Remove any you do not recognize. This habit alone can catch a compromise early.

Use a Reputable DNS Filtering Service

Even if your router is secure, using a DNS service like Quad9 or Cloudflare Gateway adds a layer of protection. These services maintain real-time blocklists of known malicious domains and will prevent your devices from reaching phishing sites or command-and-control servers.

Frequently Asked Questions

Q: I own a TP-Link router that is not on the NCSC list. Am I completely safe?
A: Not necessarily. The NCSC list represents confirmed, actively exploited models. Other models with similar firmware versions may also be vulnerable. The safest approach is to check the release date of your router’s latest firmware. If it has been more than 18 months without an update, replace the router.

Q: Can TP-Link issue a patch for end-of-life routers?
A: Almost certainly not. By definition, end-of-life products receive no further development from the manufacturer. TP-Link has not announced any exception for this campaign. Your only option is replacement.

Q: Will a VPN protect me from this attack?
A: A VPN protects the traffic from your device to the VPN server. However, if your router’s DNS is hijacked, the VPN’s initial connection could still be redirected to a malicious server unless you are using a VPN client with hardcoded DNS settings. Do not rely on a VPN as a substitute for securing the router itself.

Q: How do I know if my passwords were already stolen?
A: Use a breach notification service like Have I Been Pwned (free, operated by security researcher Troy Hunt). Also check your email account’s recent login activity and your bank account for unauthorized transactions. If you have any suspicion, change your critical passwords immediately—starting with your email account (because password resets for other services are sent there).

Q: What about the court order the US Justice Department executed? Did that fix my router?
A: The US Department of Justice sent commands to neutralize known compromised routers. However, that fix is not permanent. If you or anyone else performs a factory reset on the router, the fix is erased. Additionally, the DOJ’s action only covered routers they could identify as actively compromised. New compromises continue to occur. You must take the steps outlined in this guide yourself.

Final Verdict: Act Today, Not Tomorrow

The Fancy Bear campaign is ongoing. The hackers are not taking a break. They are scanning the internet for vulnerable TP-Link routers at this very moment. If you own an end-of-life model listed in the NCSC advisory, your network is an open door. Not a cracked door—an open one.

The combined weight of Microsoft Threat Intelligence, the FBI, the UK NCSC, and Germany’s BSI should leave no room for complacency. This is not a theoretical vulnerability or an overhyped media story. It is an active, intelligence-driven cyber-espionage campaign using your own router to spy on you.

Your checklist for today:

  • Identify your router model and hardware version

  • Check against the NCSC’s end-of-life list via PCMag

  • If end-of-life: purchase a new, supported router

  • If supported: manually update firmware

  • Change admin password to strong, unique credential

  • Disable remote management

  • Reset DNS to automatic or secure provider (Cloudflare 1.1.1.1 or Quad9 9.9.9.9)

  • Reboot router and all connected devices

  • Change critical passwords (email, banking, work accounts) if any signs of compromise

Share this guide with everyone who uses your home network, especially remote workers who connect to corporate systems. A single compromised router can expose an entire family’s digital life—and in some cases, national security interests.

For ongoing updates on this story and other cybersecurity threats, bookmark this page or follow the original reporting at PCMag. Your security is ultimately your responsibility. Do not wait.

Sources cited in this article:

This article was last updated on April 8, 2026, to reflect the latest guidance from the FBI and UK NCSC.


google-playkhamsatmostaqltradent