The US CISA warns an ongoing campaign exploits weak passwords, exposed interfaces, and outdated firmware across residential routers and edge devices
This month, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a new warning: Russian state-backed hackers are targeting routers and other network devices because those systems often sit at the edge of homes, small businesses, and critical organizations, making them useful footholds for spying, traffic redirection, and later attacks.
According to the advisory, this is not a one-off problem but an ongoing campaign that takes advantage of weak passwords, exposed management interfaces, and outdated firmware, which is exactly why routers deserve the same security attention as laptops and servers.
The warning describes Russian Federal Security Service cyber actors, specifically the FSB’s Center 16 unit, as continuing to exploit vulnerable or poorly configured networking gear across multiple sectors, including communications, energy, financial services, government facilities, healthcare, and the defense industrial base.
Security officials say the pattern is opportunistic: attackers cast a wide net, break into exposed devices, and then narrow their focus toward targets that may have intelligence value. Once inside, they can alter router settings so web traffic is quietly rerouted through infrastructure they control, which can enable credential theft and broader surveillance.
That tactic is especially dangerous because it can capture logins even when users think they are using normal, trusted websites. In the recent campaign documented by researchers and government agencies, compromised routers were used to manipulate DNS settings and send victims to spoofed destinations, creating an adversary-in-the-middle setup that could steal passwords and authentication tokens. Big tech corporations have also reported that thousands of consumer devices and more than 200 organizations had been affected, showing that the campaign reached far beyond traditional government targets.
The guidance is blunt about the defense: change default credentials, use strong unique passwords, restrict remote management, patch router firmware, and treat internet-facing network equipment as a priority attack surface. The US National Security Agency (NSA) and its partners say these basic measures, often called router hygiene, are the most practical way to reduce exposure to Russian state-sponsored targeting (with no mention of documented China-linked router exploits).
For organizations, that means monitoring routers like any other critical system rather than assuming the device is secure simply because it is small or rarely noticed.
The broader story is that routers have become a quiet but powerful battleground in state cyber operations. They are attractive because they are widely deployed, frequently under-maintained, and positioned to see a huge amount of traffic, which makes them valuable for both espionage and staging future activity. That is why the US warning matters: it is not only about one campaign, but about a persistent class of attacks that turn ordinary network gear into strategic intelligence tools.
