NSA/CSS - National Security Agency - Central Security Service
04/07/2026 | Press release | Distributed by Public on 04/07/2026 19:10
NSA Supports FBI in Highlighting Russian GRU Threats Against Routers
FORT MEADE, Md. (April 7, 2026) - The National Security Agency (NSA) and other agencies today co-sealed a Federal Bureau of Investigation (FBI) public service announcement, "Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information" to encourage further defensive actions.
The U.S. Department of Justice, FBI, and international law enforcement partners recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used as part of malicious hijacking operations. All device owners and network defenders are encouraged to take action to remediate and reduce the attack surface of similar edge devices.
Russian GRU 85th Main Special Service Center (85th GTsSS) cyber actors - also known as APT28, Fancy Bear, and Forest Blizzard - have collected credentials and exploited vulnerable routers worldwide, including compromising TP-Link routers using CVE-2023-50224.The GRU has indiscriminately compromised a wide pool of US and global victims, especially targeting information related to military, government, and critical infrastructure.
The FBI, NSA, and co-sealing agencies encourage SOHO router users to change default usernames and passwords, disable remote management interfaces from the Internet, update to latest firmware versions, and upgrade end-of-support devices. Users should also carefully consider certificate warnings in web browsers and email clients.
Organizations that allow telework should review relevant policies regarding how employees access sensitive data - including the use of virtual private networks (VPNs) or hardened application configurations.
To learn about best practices for securing your home network, please read the published guidance below.
• "APT28 Exploit Routers to Enable DNS Hijacking Operations"
• "Best Practices for Securing Your Home Network"
• Edge Device Security
• "Reducing the Attack Surface for End-Of-Support Edge Devices"
If you, or someone you know, suspects that you have been targeted or compromised by a Russian GRU cyber intrusion, NSA recommends reporting the activity to your local FBI field office, filing a complaint with the Internet Crime Complaint Center (IC3), or otherwise following your organization's incident reporting requirements.
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
About National Security Agency
Founded in 1952, NSA is a U.S. Department of War combat support agency and element of the U.S. Intelligence Community. The Agency's mission is to provide foreign signals intelligence to policy makers and our military, and to prevent and eradicate cybersecurity threats to U.S. national security systems, with a focus on the Defense Industrial Base and the improvement of U.S. weapons' security. From protecting U.S. warfighters around the world to enabling and supporting operations on land, in the air, at sea, in space, and in the cyber domain, NSA is committed to building public trust through transparency and protecting civil liberties and privacy consistent with our nation's values.
The U.S. Department of Justice, FBI, and international law enforcement partners recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used as part of malicious hijacking operations. All device owners and network defenders are encouraged to take action to remediate and reduce the attack surface of similar edge devices.
Russian GRU 85th Main Special Service Center (85th GTsSS) cyber actors - also known as APT28, Fancy Bear, and Forest Blizzard - have collected credentials and exploited vulnerable routers worldwide, including compromising TP-Link routers using CVE-2023-50224.The GRU has indiscriminately compromised a wide pool of US and global victims, especially targeting information related to military, government, and critical infrastructure.
The FBI, NSA, and co-sealing agencies encourage SOHO router users to change default usernames and passwords, disable remote management interfaces from the Internet, update to latest firmware versions, and upgrade end-of-support devices. Users should also carefully consider certificate warnings in web browsers and email clients.
Organizations that allow telework should review relevant policies regarding how employees access sensitive data - including the use of virtual private networks (VPNs) or hardened application configurations.
To learn about best practices for securing your home network, please read the published guidance below.
• "APT28 Exploit Routers to Enable DNS Hijacking Operations"
• "Best Practices for Securing Your Home Network"
• Edge Device Security
• "Reducing the Attack Surface for End-Of-Support Edge Devices"
If you, or someone you know, suspects that you have been targeted or compromised by a Russian GRU cyber intrusion, NSA recommends reporting the activity to your local FBI field office, filing a complaint with the Internet Crime Complaint Center (IC3), or otherwise following your organization's incident reporting requirements.
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
About National Security Agency
Founded in 1952, NSA is a U.S. Department of War combat support agency and element of the U.S. Intelligence Community. The Agency's mission is to provide foreign signals intelligence to policy makers and our military, and to prevent and eradicate cybersecurity threats to U.S. national security systems, with a focus on the Defense Industrial Base and the improvement of U.S. weapons' security. From protecting U.S. warfighters around the world to enabling and supporting operations on land, in the air, at sea, in space, and in the cyber domain, NSA is committed to building public trust through transparency and protecting civil liberties and privacy consistent with our nation's values.
NSA/CSS - National Security Agency - Central Security Service published this content on April 07, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on April 08, 2026 at 01:10 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]