Router security: why Russian state hackers are targeting home networks

Most people think of their home router as a background appliance, something plugged in once and forgotten. US officials are warning that this indifference is precisely what makes routers an increasingly attractive target for state-linked hackers, with new guidance describing an active campaign by Russia-linked actors to quietly hijack ordinary home and small-business routers around the world.
The goal, according to the warning, is not primarily to spy on the router's owner directly, but to turn compromised devices into what security researchers call a "residential proxy" network. By routing malicious traffic through thousands of ordinary home internet connections rather than dedicated attacker infrastructure, hackers can make their activity look like normal consumer web traffic, sidestepping detection systems that flag suspicious activity originating from known data-centre IP addresses.
Residential proxy networks have legitimate commercial uses too, including some advertising and market-research services that pay consumers for access to their internet connection, which has helped normalise a market for this kind of traffic routing and made malicious versions harder to distinguish from legitimate ones at a glance. State-linked hackers exploiting compromised routers for the same purpose get the added benefit of not needing the device owner's consent or knowledge at all.
The technique offers a particular advantage for espionage and disruptive operations: traffic that appears to originate from an ordinary residential address in a Western country is far less likely to trigger the kind of automated blocking that traffic from known hostile server ranges would face. That makes hijacked home routers a useful staging ground for reaching sensitive targets, including government networks and critical infrastructure systems, without immediately revealing the true origin of an intrusion attempt.
Officials say the routers being targeted are frequently older models that have stopped receiving security updates from their manufacturers, along with devices still running factory-default administrator passwords that were never changed after setup. Both conditions are widespread among home users, who typically interact with a router only when the internet stops working, rather than treating it as a piece of infrastructure requiring the same security maintenance as a computer or phone.
Small businesses face similar exposure, often relying on consumer-grade routers rather than enterprise networking equipment, without dedicated IT staff monitoring for firmware updates or unusual configuration changes. That combination of valuable network access and minimal oversight makes small-business routers an appealing middle ground for attackers between hard-to-reach corporate networks and less useful individual home connections.
The recommended defences, according to the guidance, are neither exotic nor expensive. Changing the router's default administrator password to a unique, strong credential closes one of the most commonly exploited entry points immediately. Keeping firmware updated, either through automatic updates where the router supports them or periodic manual checks, closes known vulnerabilities that attackers actively scan for across the internet. Disabling remote administration access, a feature many routers ship with enabled by default, removes a direct pathway for attackers to reach the device's control panel from outside the home network entirely.
Security researchers note that router compromises of this kind can be difficult for an average user to detect, since a hijacked device generally continues to provide normal internet service to its owner while quietly routing additional malicious traffic in the background. That invisibility is part of what makes the technique effective for attackers and part of why officials are pushing public awareness rather than relying solely on users noticing something wrong.
Internet service providers have a role to play as well, according to security experts, since many continue to issue routers to customers without enforcing password changes at setup or providing clear prompts for firmware updates over a device's operational life. Some providers have begun pushing mandatory update policies and default-password resets, though adoption remains inconsistent across the industry.
For most home users, officials say the underlying message is straightforward even if it runs against long-standing habits: a router deserves the same basic security attention as any other internet-connected device, not the "set it and forget it" treatment it typically receives, especially as state-linked hacking campaigns increasingly rely on exactly that kind of neglect to operate undetected.
Read next

Memory chip shortage: why it's pushing smartphone shipments to record lows
A global shortage of memory chips is squeezing smartphone production, pushing overall shipments to historic lows even as Apple and Samsung, with the scale to secure supply, gain relative market share. Analysts say the crunch reflects surging demand for the same memory chips from AI data centres.

General Fusion goes public: what its Nasdaq debut means for fusion power
General Fusion became the first publicly traded fusion power company after its shares soared on their Nasdaq debut, following a reverse merger that saw high redemptions. The listing gives investors a rare direct way to bet on the fusion industry's progress toward commercial electricity.

What is the new 'super alloy' that could transform how metals are made
Researchers say they have created a world-first alloy that combines properties long thought incompatible, using a manufacturing approach that could change how engineers design materials for extreme conditions. The breakthrough could ripple across aerospace, energy and heavy industry.

Lithium recycling: how Japan recovers 90% of it from used EV batteries
Japanese researchers have developed a method to recover up to 90% of the lithium locked inside used electric-vehicle batteries, addressing a looming supply bottleneck as EV adoption accelerates worldwide. The process could reduce reliance on newly mined lithium and cut the environmental cost of battery production.

How Apple's failed self-driving car project built its most powerful AI chips
Apple's self-driving car program never made it to the road, but the technology developed along the way quietly became the foundation of the company's on-device AI power today. Here's how a cancelled project ended up shaping the chips at the heart of the iPhone.