You now have five important reasons to start a router security conversation with your small business clients this week, especially those with work-from-home staff members. One of them has Russian military intelligence in the headline. This is your overview, talking points, and action plan.
Why router security is front and center right now
The FBI did not publish a warning and move on. They ran a court-authorized operation to take down a network of hijacked routers that Russia’s GRU Military Unit 26165, known as APT28 or Fancy Bear, was using for attacks. Routers in at least 23 U.S. states were compromised and used to conduct DNS hijacking operations against military, government, and critical infrastructure targets. The DOJ confirmed the scope.
Russia is not the only concern. China’s Volt Typhoon has been routing its traffic through compromised Small Office/Home Office (aka: SOHO) devices from manufacturers including ASUS, Cisco, D-Link, NETGEAR, and Zyxel to stay hidden inside U.S. electric, oil, and gas company networks. The goal is long-term persistence, not immediate disruption.
The FBI, NSA, and cybersecurity agencies from over 15 countries have jointly released formal guidance on this threat. This is a coordinated global alert, and your clients’ routers are part of the conversation.
Five Reasons this Topic Will Not Wait
1. The FBI Neutralized a Russian Military Router Botnet in April 2026
The DOJ confirmed a court-authorized cleanup of a network of hijacked SOHO routers operated by Russia’s GRU. The routers were used for DNS hijacking, which means attackers silently intercepted and redirected internet traffic without victims ever noticing. When DNS gets hijacked, your client’s employees end up typing their credentials into fake login pages that look completely real. Their password manager is none the wiser, because it matches URLs to credentials, and those URLs have been co-opted by the DNS hijacking. There are no pop-up warnings, no red flags, and no moment of hesitation before an attacker walks away with their credentials. Passkeys stop this attack cold. Unlike passwords, passkeys use cryptographic authentication tied to the exact origin the key was created for. A hijacked connection fails that handshake before any credential is exposed, and the attacker gets nothing. Where passkeys are not yet supported, train employees to stop and report any unexpected certificate warning on a login page immediately. We cover both in the recommendations below.
2. China’s Volt Typhoon Has Been Inside U.S. Infrastructure Since 2023
Volt Typhoon has achieved long-term access inside control systems at U.S. utilities, according to Dragos and Microsoft. The technique is consistent: route through a compromised SOHO router, blend into normal traffic, and wait. Your client’s unpatched router is exactly the kind of device this group looks for.
3. The FCC Banned Foreign-Made Routers in March 2026 and Your Clients Likely Own One or More
TP-Link grew from roughly 20% of the U.S. router market in 2019 to as high as 65% by 2025, and many ISPs issue TP-Link hardware directly to subscribers. In March 2026, the FCC moved from concern to formal action, adding all consumer-grade routers produced in foreign countries to its Covered List and citing “unacceptable risks to national security.” New foreign-made models are now prohibited from FCC authorization, meaning they cannot legally be imported or sold in the United States going forward. Netgear and Eero have received conditional approvals to continue importing new models through October 2027. TP-Link is actively seeking similar approval.
The FCC has since extended the firmware update window for existing devices through January 2029, so routers already on store shelves will continue receiving security patches for now. The core ban on new foreign-made models remains in place. MSPs who have already inventoried this hardware are positioned to respond before replacement supply tightens.
| Editor’s Note: Darknet Diaries Episode 174, “Pacific Rim,” released May 2026, tells the story of a Chinese state-backed hacking group that spent six years targeting Sophos firewalls using zero-day exploits never seen before in the wild. Sophos fought back aggressively, and an entire product line was eventually retired. If a security vendor’s own firewall product was compromised at that level, foreign-made routers sitting unmanaged in your clients’ offices deserve the same serious attention. |
4. End-of-Life Routers Show Up in Nearly Every Nation-State Attack
The KV Botnet used by Volt Typhoon was built almost entirely from end-of-life Cisco and Netgear routers that no longer receive security updates. CISA’s advisory AA26-113A details how China-nexus actors build covert networks from compromised devices exactly like your clients’ EOL routers. This gives you a clear, billable opening with every client: ask them when they last reviewed the hardware handling all of their internet traffic. Most will not have an answer. The risk does not stop at the office door either. Every remote employee is running their own router at home, one your team did not select, did not configure, and does not manage. That device handles every byte of work traffic those employees send and receive. A four-year-old ISP-issued gateway running unpatched firmware in a remote employee’s home are equally exposed as anything in the office network closet, and far less likely to be on anyone’s radar. A remote workforce inventory is every bit as important as an office hardware audit.
5. Fifteen Governments Wrote Your Next Client Presentation For You
The joint PSA released by the FBI, NSA, and partners from 15 allied nations is more than a headline. It is a client-ready document. Print the one-page summary, walk your client through it at your next quarterly business review, and let the weight of 15 governments speaking in unison do the convincing for you. The guidance is technical, actionable, and free.
Why this matters for MSPs beyond the headlines
Router compromise connects directly to the threats your clients already worry about.
When a router gets hijacked and DNS gets redirected, phishing pages become nearly impossible to spot. Credential theft follows, and because the attack happens at the network layer, endpoint security tools miss it entirely. This gives you a natural way to connect infrastructure hygiene to phishing and credential risk in terms your clients already understand.
SOHO stands for Small Office/Home Office, and that label is not accidental. The routers nation-state actors target are the same hardware class whether they sit in a server closet or a spare bedroom. A compromised home router puts work credentials at risk even when your office network is locked down tight, and the attack happens upstream of every endpoint protection tool you have deployed. Password managers offer no protection here. They match credentials to URLs, and DNS hijacking makes the URL look completely legitimate. Passkeys do protect against this attack, because they use cryptographic authentication tied to the exact origin the key was created for, and a hijacked connection fails that handshake before any credential is exposed. Where passkeys are not yet supported, train employees to treat any unexpected browser certificate warning on a login page as a mandatory stop-and-report event.
You are not asking your clients to care about something abstract. You are showing them that aging, unmanaged hardware in their network closet, or at a remote worker’s home, is the one thing making every other security investment less effective.
What the FBI recommends right now, plus two more
CNET covered the FBI’s original guidance in full. Read the complete article. CyberHoot adds two more.
- Reboot the router: Rebooting clears some malware from memory. It is not a permanent fix, but it gives you a starting point while you plan the next steps.
- Change default credentials: A large number of small business routers still run on factory usernames and passwords. Changing these takes five minutes and closes a door that should never have been left open.
- Update the firmware or replace the hardware: If a patch is available, apply it. If the device is past its support window and no patch exists, it needs to go. An unsupported router is not a security tool, it is a liability.
- Disable remote management: Unless remote access is actively needed and locked down to specific IP addresses, turn it off.
- CyberHoot Bonus Tip #1: Adopt passkeys, managed by a business password manager Passkeys stop DNS hijacking at the authentication layer by using cryptographic verification tied to the exact origin the key was created for. A business password manager is the right tool to store and synchronize passkeys across every device your employees use at home and in the office. Start with the password manager, then migrate to passkeys on every application that supports them.
- CyberHoot Bonus Tip #2: Train employees to stop and report certificate warnings Where passkeys are not yet supported, an unexpected certificate warning on a login page is a mandatory stop-and-report event, not a click-through. This costs nothing to train and stops an attack that bypasses every other tool on this list.
YOUR NEXT STEP
Start with two inventories, not one. The first covers your clients’ office networks: which devices are deployed at each site, what firmware version they are running, and which ones are past end-of-life. The second covers their remote workforce: every employee working from home is running a router your team did not select, did not configure, and does not manage. That device handles all of their work traffic. A four-year-old ISP-issued gateway running unpatched firmware in a spare bedroom deserves the same scrutiny as anything in an office network closet.
From there, a firmware audit and an EOL replacement plan across both environments gives you a structured, billable engagement tied directly to an active FBI advisory. That is a much easier client conversation than a generic security pitch.
Your clients are not going to come to you asking about router firmware or passkey adoption. That is exactly why they need you. Start the conversation this week.
Sources:
- CNET – 5 Steps the FBI Wants You to Take to Secure Your Router Right Now
- Cyberscoop – Forest Blizzard APT28 Routers Espionage and Campaign Operation Masquerade
- Darknet Diaries – Pacific Rim (Episode 174) on Sophos Firewall Compromises
- Dragos Littleton Electric Water Case Study PDF
- Microsoft – Volt Typhoon Targets US Critical Infrastructure with Living off the Land Techniques
- FCC Ruling on all Foreign-Made Routers onto the Covered List
Secure your business with CyberHoot Today!
The post Why Your Clients’ Routers Are Now a National Security Conversation appeared first on CyberHoot.