This piece walks through a recent campaign that hijacked small office and home office routers by changing DNS settings, explains why older routers are risky, and lists practical steps you can take right now to reduce exposure — from firmware updates and stronger admin passwords to disabling remote access and considering VPNs and antivirus tools.
Your router is the quiet gatekeeper for everything on your network, and most people only notice it when the Wi-Fi dies. It sits plugged in, blinking, and usually gets zero maintenance until something breaks. That low attention makes routers a tempting target for attackers who want a stealthy foothold.
The Justice Department warned the campaign targeted SOHO routers, the kind used in homes and small businesses. Investigators say hackers abused weaknesses in older devices to change DNS settings, and the FBI specifically referred to the TP-Link WR841N. The UK National Cyber Security Centre also flagged other TP-Link models tied to APT28 activity, and the agency cautioned its list might be incomplete.
DNS is the internet address book that turns friendly names into numeric addresses. If attackers control that lookup, they can route traffic through servers they control and quietly harvest passwords, authentication tokens, emails or browsing data. That makes DNS manipulation especially dangerous because it can expose high-value accounts without obvious signs on the surface.
This kind of compromise often flies under the radar. Your laptop will still connect, videos will still stream, and your router’s lights will keep blinking as if nothing is wrong. Meanwhile, sensitive sessions can be redirected through malicious infrastructure and monitored or altered without your knowledge.
Part of the problem is device age and neglect. Many routers get kept long after manufacturers stop releasing security patches, and known vulnerabilities sit unpatched. Equally risky is leaving the router’s admin username and password at defaults, which hands attackers an easy straight line into device settings and DNS controls.
Manufacturers sometimes provide fixes for older gear, but those updates are not guaranteed forever. “While these products are outside our standard maintenance lifecycle, TP-Link has developed security updates for select legacy models where technically feasible,” the company said. “As immediate precautions, users should update to the latest available firmware, disable remote management, and restrict device access to trusted internal networks only.”
If you want to lower your risk, start by checking the model printed on the label of your router and confirm whether it still receives firmware updates. If updates are available, apply them or enable automatic updates; if the router is end of life, replace it. A working but unsupported router still provides Wi-Fi while leaving your network exposed, so replacing it can be the least painful path forward.
Take these practical settings steps: change the router’s admin username and create a long, unique password you don’t reuse anywhere else, and refresh your Wi-Fi password if it’s been widely shared. Turn off remote management unless you absolutely need it, because remote access is a common way attackers get inside. Also, rebooting the router occasionally can help clear transient problems, though it does not replace updates or stronger credentials.
For work-at-home setups, use a company-approved VPN when accessing sensitive systems to add another layer of encryption and isolation, and keep strong antivirus on your devices to block malware and phishing attempts. Consider identity monitoring or data removal services if you’re worried about stolen credentials leading to broader fraud. Finally, ask yourself whether you know how old your router is or when you last updated its firmware; if you can’t answer, it’s time to check.
