TP-Link routers become Russia’s latest cyber espionage pipeline

Britain’s National Cyber Security Centre confirmed that Russian state hackers APT28 have spent months quietly weaponizing vulnerabilities in TP-Link and MikroTik routers. The campaign, active since at least January 2024, isn’t about random breaches—it’s a systematic DNS hijack designed to siphon Outlook credentials, authentication tokens, and even active desktop sessions. For users, the attack is invisible: no crashes, no warnings, just stolen data flowing out through devices they trust.

The real target isn’t the routers themselves, but the traffic passing through them. By rerouting DNS requests, APT28 can intercept unencrypted Outlook communications, including those from desktop clients that users assume are secure. Most victims won’t discover the breach until their accounts are locked or their contacts receive phishing emails from their address. The NCSC’s advisory notes that the group has historically targeted governments and militaries, but this campaign casts a wider net—small businesses, remote workers, and even tech-savvy households are now in the crosshairs.

TP-Link’s dominance in the consumer and SMB router market—over 60% share in some regions—makes this a volume play. The company’s routers are cheap, widely available, and rarely updated after installation. That combination turns them into low-hanging fruit for state-backed hackers. MikroTik’s enterprise-grade devices are equally vulnerable, but their users are more likely to have IT teams monitoring for anomalies. For TP-Link’s customer base, the first sign of trouble is often the last.

The attack’s persistence reveals a grim truth about consumer-grade hardware: security is an afterthought until it’s too late. TP-Link has released patches for affected models, but firmware updates are opt-in, and most users never log into their router’s admin panel after setup. Even those who do often ignore update prompts, assuming they’re for performance tweaks rather than critical fixes. The result is a vast, unpatched attack surface that hackers can exploit for years.

For businesses, the implications are stark. A single compromised router in a remote worker’s home can expose an entire corporate network. Companies that rely on Outlook for email and collaboration are particularly vulnerable, as the attack doesn’t require phishing or malware—just a misconfigured DNS setting. Some firms are already blocking TP-Link devices from their networks, but that’s a reactive move. The real solution requires router manufacturers to treat security as a default, not an add-on.

The broader market is taking note. Competitors like Asus and Netgear have long marketed their routers as more secure, but their market share remains small. TP-Link’s low prices and plug-and-play simplicity keep it dominant, even as its security reputation takes a hit. The question now is whether users will demand better—or keep buying the cheapest box that works, consequences be damned.