Russian Hackers Are Targeting Home Routers to Steal Passwords — Is Yours at Risk?

The UK's National Cyber Security Centre (NCSC) has just issued a warning that should concern every small business owner in the country: a Russian state-backed hacking group known as APT28 — also called Fancy Bear — is actively compromising home and small office routers to steal passwords and sensitive data. Microsoft estimates over 200 organisations and 5,000 devices have already been affected.

This isn't some theoretical future threat. It's happening right now, it's been going on since 2024, and the routers being targeted are the same consumer-grade devices sitting in offices and home offices across Britain.

What's Actually Happening?

Here's the attack in plain English. Your router is the device that connects your office (or home) to the internet. It has a setting that controls how your devices find websites — this is called DNS, and it works like a phone book for the internet. When you type "outlook.com" into your browser, DNS tells your device where to find it.

The attackers are breaking into routers — particularly TP-Link models, though Cisco and MikroTik devices have also been targeted — and secretly changing these DNS settings. Instead of pointing to the real phone book, your router now points to a fake one controlled by Russian intelligence.

When you or your staff then visit a commonly used service like Microsoft Outlook, you're silently redirected to a perfect copy of the login page. You enter your email and password thinking everything is normal. The attackers capture those credentials, then forward you to the real site so you never realise anything happened.

The truly insidious part: because the change happens at the router level, every device connected to it — laptops, phones, tablets — all inherit the poisoned DNS settings. One compromised router can expose your entire office.

Why Small Businesses Should Care

You might think Russian intelligence isn't interested in a small business in Birmingham or Bristol. And you'd be partly right — the NCSC says these attacks are opportunistic, casting a wide net and then filtering for targets of intelligence value. But that doesn't mean your business escapes harm.

Even if the attackers decide your email isn't worth reading, they've still captured your passwords. Those credentials can be reused, sold on criminal marketplaces, or used to access other accounts where you've used the same password. Your Microsoft 365 account, your cloud storage, your accounting software — all potentially compromised from a single router hack.

And here's the business risk that matters most: if an attacker can read your email, they can intercept invoices, redirect payments, impersonate you to clients, and access confidential business information. Invoice fraud alone costs UK businesses hundreds of millions of pounds each year.

Is Your Router Affected?

The NCSC specifically named TP-Link routers as a primary target, with over 20 models listed in their advisory. Some of the most commonly used models in UK small offices are on that list, including the popular WR841N, Archer C5, Archer C7, and MR6400 (a 4G router widely used in areas with poor broadband).

The vulnerability used to break into these routers — CVE-2023-50224 — allows an attacker to extract the router's admin password remotely without any authentication. Once they have the password, they change the DNS settings with a single request. It's fast, silent, and leaves no obvious trace.

If your router's management interface is accessible from the internet (which many are by default), and it's running outdated firmware, you could be vulnerable right now.

How to Check if You've Been Compromised

The good news is that checking is straightforward:

1. Log into your router's admin panel — typically by typing 192.168.0.1 or 192.168.1.1 into your browser (check the sticker on your router for the exact address and default password)
2. Find the DNS settings — usually under DHCP settings, WAN settings, or Network settings
3. Check what DNS servers are configured — if you haven't changed them, they should either be blank, set to your ISP's addresses, or set to well-known services like Google (8.8.8.8) or Cloudflare (1.1.1.1)
4. Look for anything unfamiliar — if you see IP addresses you don't recognise, particularly if the primary and secondary DNS servers are different and one looks unusual, investigate immediately

The NCSC advisory includes a list of known malicious IP addresses used by the attackers. If your DNS settings point to any IP address you don't recognise, reset your router to factory defaults, update its firmware, and change the admin password before reconfiguring it.

How to Protect Your Business

Whether or not you've been targeted, these steps will significantly reduce your risk:

• Update your router's firmware immediately — log into the admin panel and check for updates. If your router is too old to receive updates, it's time to replace it. A new business-grade router costs far less than the damage from a breach
• Change the default admin password — if you're still using "admin/admin" or the password printed on the router sticker, change it today to something strong and unique
• Disable remote management — unless you have a specific reason to manage your router from outside your office, turn off remote access to the admin panel. This closes the door attackers are walking through
• Set your DNS servers manually — configure your router to use trusted DNS providers like Cloudflare (1.1.1.1 and 1.0.0.1) or Google (8.8.8.8 and 8.8.4.4) rather than leaving them on automatic
• Enable multi-factor authentication everywhere — even if your password is stolen, MFA on your email, cloud services, and business applications means the attackers can't use it alone. This is the single most important thing you can do
• Don't reuse passwords — use a password manager so every account has a unique password. If one gets stolen, the others remain safe
• Consider business-grade equipment — consumer routers like the TP-Link models being targeted are designed for home use, not for protecting business data. A proper business firewall from vendors like Ubiquiti, Fortinet, or Draytek offers significantly better security features and regular firmware updates

What About Working From Home?

This attack is particularly relevant for businesses with staff working from home. Those employees are connecting to your business systems — email, file shares, cloud apps — through their home routers. If their home router is compromised, their work credentials are at risk too.

Consider providing staff with guidance on updating their home routers, or better yet, provide a company VPN that encrypts traffic regardless of the router's DNS settings. A VPN bypasses the poisoned DNS entirely because it uses its own DNS resolution.

The Bigger Picture

This campaign is a stark reminder that cyber threats don't just target big corporations and government departments. State-backed hackers are exploiting the cheapest, most ubiquitous networking equipment on the market because it gives them access to thousands of potential targets at once. Your £30 router from the high street is a gateway to your entire digital business.

The NCSC exists to help protect UK businesses of all sizes. Their guidance on this specific threat, along with broader small business security advice, is freely available at ncsc.gov.uk.

Your router is the front door to your business network. If you wouldn't leave your office door unlocked overnight, don't leave your router unpatched and using default passwords.