PCWorld reports that TP-Link routers are currently under attack from Russian state hackers. The hacking group, identified as Fancy Bear (also known as APT 28), is reportedly targeting TP-Link routers globally. These attacks exploit vulnerabilities within the router firmware to conduct sophisticated DNS hijacking. Through this method, attackers redirect users to fake websites, aiming to steal sensitive information such as passwords and banking details.
According to the provided reports, authorities including the German intelligence agency, the FBI, and the NSA are investigating these router infiltrations. The hack is believed to be aimed primarily at obtaining information that could benefit the Russian military intelligence service (GRU). Furthermore, the attackers are thought to also be infecting users with malware after they download files from the compromised systems.
German domestic intelligence reported that Fancy Bear has infiltrated vulnerable TP-Link internet routers worldwide. The stated objective of this infiltration is to obtain military information, government details, or data pertaining to critical infrastructure. Initial reports suggest that the attack has been ongoing, with first incidents dating back to at least 2024.
Authorities are warning users and certain companies about the threat, with information reportedly provided via letters detailing affected devices. The concerns center around TP-Link routers, though other manufacturers are also noted as potentially being affected.
Fancy Bear is a group with a history of cyberattacks, having previously targeted companies supporting Ukraine in the war against Russia. They have also been credited with previous attacks on German air traffic control and the German SPD party’s headquarters.
International investigators have already managed to identify 30 specific devices in Germany that could potentially be abused for this type of attack. The warning from Germany’s domestic intelligence agency urges immediate action to mitigate the risk.
To protect against these ongoing threats, users are strongly advised to immediately update their router firmware. Users should also remain vigilant and watch for any suspicious redirects or unexpected security warnings, as these could indicate the presence of the hacking attempt.