Tech

Router security: why Russian state hackers are targeting home networks

Ars Technica2 h ago
A wireless router with blinking lights connected to network cables
A wireless router with blinking lights connected to network cablesPhoto: Brett Sayles / Pexels

Most people think of their home router as a background appliance, something plugged in once and forgotten. US officials are warning that this indifference is precisely what makes routers an increasingly attractive target for state-linked hackers, with new guidance describing an active campaign by Russia-linked actors to quietly hijack ordinary home and small-business routers around the world.

The goal, according to the warning, is not primarily to spy on the router's owner directly, but to turn compromised devices into what security researchers call a "residential proxy" network. By routing malicious traffic through thousands of ordinary home internet connections rather than dedicated attacker infrastructure, hackers can make their activity look like normal consumer web traffic, sidestepping detection systems that flag suspicious activity originating from known data-centre IP addresses.

Residential proxy networks have legitimate commercial uses too, including some advertising and market-research services that pay consumers for access to their internet connection, which has helped normalise a market for this kind of traffic routing and made malicious versions harder to distinguish from legitimate ones at a glance. State-linked hackers exploiting compromised routers for the same purpose get the added benefit of not needing the device owner's consent or knowledge at all.

The technique offers a particular advantage for espionage and disruptive operations: traffic that appears to originate from an ordinary residential address in a Western country is far less likely to trigger the kind of automated blocking that traffic from known hostile server ranges would face. That makes hijacked home routers a useful staging ground for reaching sensitive targets, including government networks and critical infrastructure systems, without immediately revealing the true origin of an intrusion attempt.

Officials say the routers being targeted are frequently older models that have stopped receiving security updates from their manufacturers, along with devices still running factory-default administrator passwords that were never changed after setup. Both conditions are widespread among home users, who typically interact with a router only when the internet stops working, rather than treating it as a piece of infrastructure requiring the same security maintenance as a computer or phone.

Small businesses face similar exposure, often relying on consumer-grade routers rather than enterprise networking equipment, without dedicated IT staff monitoring for firmware updates or unusual configuration changes. That combination of valuable network access and minimal oversight makes small-business routers an appealing middle ground for attackers between hard-to-reach corporate networks and less useful individual home connections.

The recommended defences, according to the guidance, are neither exotic nor expensive. Changing the router's default administrator password to a unique, strong credential closes one of the most commonly exploited entry points immediately. Keeping firmware updated, either through automatic updates where the router supports them or periodic manual checks, closes known vulnerabilities that attackers actively scan for across the internet. Disabling remote administration access, a feature many routers ship with enabled by default, removes a direct pathway for attackers to reach the device's control panel from outside the home network entirely.

Security researchers note that router compromises of this kind can be difficult for an average user to detect, since a hijacked device generally continues to provide normal internet service to its owner while quietly routing additional malicious traffic in the background. That invisibility is part of what makes the technique effective for attackers and part of why officials are pushing public awareness rather than relying solely on users noticing something wrong.

Internet service providers have a role to play as well, according to security experts, since many continue to issue routers to customers without enforcing password changes at setup or providing clear prompts for firmware updates over a device's operational life. Some providers have begun pushing mandatory update policies and default-password resets, though adoption remains inconsistent across the industry.

For most home users, officials say the underlying message is straightforward even if it runs against long-standing habits: a router deserves the same basic security attention as any other internet-connected device, not the "set it and forget it" treatment it typically receives, especially as state-linked hacking campaigns increasingly rely on exactly that kind of neglect to operate undetected.

This article is an AI-curated summary based on Ars Technica. The illustration is a stock photo by Brett Sayles from Pexels.

Read next