Russian hackers exploited outdated TP-Link routers in a massive cyber espionage campaign

Outdated routers have become one of the most underestimated cybersecurity risks in homes and businesses. While users often focus on phishing emails, malware, and stolen passwords, security researchers are warning that unsupported networking hardware can quietly open the door to much larger attacks. That concern has intensified after British officials, Microsoft security experts, and private-sector researchers linked a major campaign to Russian hackers who allegedly compromised old TP-Link and MikroTik routers to intercept internet traffic and steal credentials.

The case is especially serious because it combines several dangerous trends at once: end-of-life router vulnerabilities, large-scale traffic redirection, credential theft, cloud account compromise, and suspected state-backed cyber espionage. It also shows why old TP-Link routers, unsupported firmware, and poorly maintained home or office networking devices remain attractive targets for advanced threat actors.

Why outdated TP-Link routers became a target

Routers are often ignored after installation. People set up Wi-Fi, connect their devices, and then rarely think about router security again. That creates a perfect opportunity for attackers. When a router reaches the end of its support lifecycle and no longer receives firmware updates or security patches, any known vulnerability can remain exposed indefinitely.

This is exactly why outdated TP-Link routers are so dangerous in 2026 and beyond. A device may still appear to work perfectly well, but from a cybersecurity perspective it may already be obsolete. If a router is still online, still using old firmware, and still exposed to known weaknesses, it can become an easy entry point for hackers.

In this reported campaign, the attackers are believed to have specifically targeted unsupported consumer and small-business routers, including TP-Link and MikroTik models, by exploiting previously disclosed vulnerabilities. Once the devices were compromised, they could be repurposed as silent interception points sitting between users and the wider internet.

Who is believed to be behind the attacks

Security investigators say there is a strong possibility that the campaign is linked to Fancy Bear, also known as APT28 or Forest Blizzard. This group is widely associated in the cybersecurity world with Russian state-backed operations and is often described as being connected to Russia’s military intelligence ecosystem.

Fancy Bear is not just another cybercrime gang looking for fast money. It has been repeatedly connected in public reporting to cyber espionage campaigns, geopolitical incidents, and attacks involving governments, political targets, and strategically important organizations. That background matters because it suggests the router compromises were not random experiments. They may have been part of a broader intelligence-driven effort to gain long-term access to accounts, communications, and institutional data.

How the router attack reportedly worked

According to the reported findings, the attackers did not simply infect computers in the traditional sense. Instead, they focused on the network layer by taking control of vulnerable routers. Once inside those devices, they allegedly modified settings so internet traffic from the victim could be redirected through infrastructure controlled by the attackers.

That kind of router hijacking is especially dangerous because it allows threat actors to manipulate how users reach websites and services. A compromised router can become a platform for DNS tampering, traffic interception, session theft, and phishing delivery. Instead of waiting for a user to click a suspicious email link, the attacker can influence the victim’s web traffic more directly.

Researchers say victims could then be pushed toward fake login pages or attacker-controlled traffic paths where usernames, passwords, and authentication tokens could be captured. In effect, the router becomes a covert surveillance tool.

Why Microsoft Office and cloud accounts were at risk

One of the most alarming parts of the case is the apparent focus on Microsoft Office users. In a modern business environment, access to Microsoft accounts can mean access to email, documents, meetings, shared storage, authentication systems, and internal communications. That makes Microsoft credentials extremely valuable for both cybercriminals and state-backed intelligence actors.

If attackers steal passwords and authentication tokens from Microsoft 365 or related services, they may be able to access cloud environments without triggering the same defenses as a normal suspicious login. Session tokens can be especially powerful because they sometimes allow account access without the victim having to actively log in again.

This turns a cheap, outdated router into a stepping stone toward corporate and institutional compromise. A neglected home office router, a forgotten branch-office gateway, or an old TP-Link device in a small business can become the first link in a much larger attack chain.

Why stolen tokens can be more dangerous than stolen passwords

Many users understand the danger of password theft, but authentication tokens can be even more valuable in some attacks. Tokens are often used to keep users signed in after authentication has already taken place. If attackers can capture valid session material, they may be able to bypass parts of the login process and maintain access without needing the victim’s password every time.

That is one reason why router-based traffic interception is so dangerous. It does not just threaten a single login. It can expose sessions, credentials, cookies, and authentication flows in ways that help attackers quietly maintain access. Even organizations using stronger login protections can face risk if adversaries steal valid session artifacts from traffic that has been redirected or manipulated.

The scale of the campaign raised major concerns

This was not described as a small or isolated incident. Investigators said the campaign affected thousands of devices and reached victims across roughly 120 countries. Black Lotus Labs reportedly found evidence pointing to at least 18,000 affected victims, while Microsoft researchers identified more than 200 organizations and around 5,000 consumer devices tied to the activity.

Among the affected environments were reportedly government entities, law enforcement organizations, and service providers in North Africa, Central America, Southeast Asia, and parts of Africa. Those details suggest a campaign with both global reach and strategic intent.

That scale is important because it shows how vulnerable routers can be exploited in bulk. An attacker does not need to break into every target manually. If unsupported TP-Link routers and other aging devices are already exposed to known vulnerabilities, automated scanning and exploitation can do much of the work.

Why old routers are such a long-term security problem

A hacked laptop often shows signs of compromise sooner or later. Performance may drop, malware may be detected, suspicious files may appear, or the user may notice something strange. A compromised router is different. It can continue operating quietly for months or even years while users remain completely unaware.

Most people never check router logs, inspect DNS settings, validate firmware integrity, or review network redirection behavior. That makes compromised routers ideal for stealthy persistence. They can quietly redirect traffic, support phishing operations, act as proxy nodes, or remain available for later use by the attacker.

This is why unsupported TP-Link routers and similar consumer networking devices are not just minor security concerns. They can become durable espionage tools.

Why home users should take router security seriously

Many people assume serious cyber espionage affects only governments, defense contractors, or multinational corporations. That is no longer a safe assumption. Home users, remote workers, freelancers, consultants, and small offices can all become indirect targets if their routers are weak enough to be exploited.

A home router may connect work laptops, business email accounts, banking sessions, personal cloud storage, and smart home devices all at once. If that router is outdated and unpatched, it is not merely a weak Wi-Fi box. It is the front door to an entire digital environment.

That makes router replacement far more important than most consumers realize. If a TP-Link router or any other model has stopped receiving security updates, continuing to use it may create a risk far greater than its purchase price suggests.

Why businesses are also exposed

Small and medium-sized businesses are especially vulnerable to this kind of threat. Large enterprises may have dedicated security teams, managed infrastructure, and regular asset lifecycle reviews. Smaller organizations often do not. They may keep older routers in service because the devices still seem functional, because replacement is inconvenient, or because networking hardware is not treated as a priority.

That is a dangerous mindset. An outdated office router can expose staff credentials, cloud accounts, internal services, and remote access workflows. In hybrid work environments, the problem becomes even broader, because employees may connect to sensitive systems through home routers that the company does not manage directly.

This creates a weak-link problem. An organization may invest in endpoint security and identity controls, but if the network edge remains poorly protected, attackers can still find a way in.

Router hijacking is bigger than one vendor

Although TP-Link routers have drawn attention in this case, the broader lesson is not limited to a single brand. The real issue is unsupported internet-facing hardware. Attackers routinely scan for vulnerable routers, VPN gateways, firewalls, and other edge devices because these systems sit at critical control points inside the network.

If such devices are outdated, unpatched, or misconfigured, they become highly attractive targets. A compromised router can be used for surveillance, credential theft, phishing redirection, anonymized traffic forwarding, or as part of a larger attack infrastructure.

In other words, the problem is not just “TP-Link router hacking.” The deeper issue is that millions of users still rely on old networking devices long after vendor support has ended.

How to protect against outdated router attacks

The most important step is to find out whether your router is still supported. Many users do not know their exact model number, firmware version, or support status. That information matters. If the vendor no longer provides security updates, replacing the device is usually the safest option.

Users and organizations should also make sure firmware is updated, remote administration is disabled unless absolutely necessary, default credentials are changed, DNS settings are reviewed, and router access is protected with strong authentication. Where possible, older hardware should be retired before it becomes a security liability.

For businesses, router security should be part of a formal asset management and patching process. For home users, the goal should be simpler but just as important: do not treat the router as a permanent appliance. Treat it like any other internet-connected computer.

Why this story matters beyond the headline

The report about Russian hackers and outdated TP-Link routers is not just another cyber headline. It is a warning about how modern cyber espionage works in practice. Threat actors no longer need to rely solely on malware attachments or direct brute-force attacks. They can exploit forgotten infrastructure, manipulate traffic at the network layer, and harvest credentials from systems that users trust every day.

That is what makes unsupported routers so dangerous. They often sit below the level where ordinary people look for threats. Yet once compromised, they can help attackers observe, redirect, and exploit internet traffic at scale.

The bigger lesson is clear. Old routers are not harmless just because they still provide internet access. Unsupported networking hardware can become a powerful cyber espionage tool, especially when it sits between users and critical cloud services such as Microsoft 365. Whether the environment is a home office, a school, a small business, or a government-connected organization, router security is now a core part of digital defense.

In a world built on cloud accounts, remote work, and constant connectivity, an outdated TP-Link router is no longer just aging hardware. It can be the weakest link in the entire security chain.

---

Image(s) used in this article are either AI-generated or sourced from royalty-free platforms like Pixabay or Pexels.

This article may contain affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you.