Skip to content

Security Event

NSA & FBI Router Security Warning: The GRU Spy Network Explained

Last updated: 2026-04-14

Why did NSA and FBI ask Americans to reboot their routers? Full timeline of the GRU VPNFilter malware campaign, official recommendations, and what you should do now.

Start your security checklist →

Timeline

FBI issues first router reboot warning

The FBI urged home and small-office router owners worldwide to reboot their devices after discovering the VPNFilter malware linked to Russian military intelligence (GRU).

Ongoing GRU infrastructure operations

Multiple U.S. government advisories (CISA, NSA, FBI) documented continued GRU cyber operations targeting network infrastructure, including routers and IoT devices.

NSA renews router security guidance

NSA and FBI published updated home network security recommendations, prompting major coverage from Forbes, Newsweek, and Tom's Guide. Core advice: reboot, update firmware, change default passwords.

NSA Official Recommendations

Based on NSA and FBI public guidance. Source: nsa.gov and ic3.gov.

  1. Reboot your router regularly to disrupt persistent malware.
  2. Update firmware to the latest version available from your manufacturer.
  3. Change the default admin password to something long and unique.
  4. Disable remote management unless you specifically need it.
  5. Use WPA2-AES or WPA3 encryption on your Wi-Fi network.
  6. Disable WPS (Wi-Fi Protected Setup) — it is easily brute-forced.
  7. Review and disable UPnP if you don't need automatic port forwarding.

Why rebooting helps — but isn't enough

Router malware like VPNFilter (linked to GRU's Sandworm team) loads in stages. The first stage persists across reboots, but later stages — the ones that intercept traffic and execute commands — live only in memory.

Rebooting clears those memory-resident stages, forcing attackers to re-infect your device. But the persistent first stage remains, and the underlying vulnerability that let them in is still open.

The real fix: update firmware (patches the vulnerability), change the admin password (blocks credential-based access), and disable remote management (removes the attack surface). Rebooting is step one — not the final step.

Get your brand-specific checklist

NSA guidance is generic. Your router's admin interface is brand-specific. Pick your brand for a step-by-step guide:

NETGEAR
Security guide
TP-Link
Security guide
ASUS
Security guide

FAQ

Why does rebooting help?

Some router malware (like VPNFilter) loads into memory. A reboot clears non-persistent stages, forcing the attacker to re-infect the device. However, rebooting alone does not remove persistent components or fix the vulnerability that allowed infection in the first place.

Am I at risk if I have a modern router?

Risk depends on whether your router firmware is up to date and whether default credentials have been changed. Even modern routers can be compromised if they run outdated firmware or use factory-default passwords.

Should I replace my router?

If your router is no longer receiving firmware updates from the manufacturer, replacement is recommended. End-of-life devices cannot patch newly discovered vulnerabilities.

Get future checklist updates

No spam. This is a placeholder form for the MVP.