A technical analysis of how consumer routers are actually compromised — and why the FCC's geographic manufacturing ban misdiagnoses the disease.

On March 23, 2026, the FCC added all foreign-manufactured consumer-grade routers to its Covered List, effectively banning the import of new models unless the manufacturer obtains conditional approval from the Department of Homeland Security or the Department of War. The stated rationale was national security: foreign-produced routers introduce supply-chain vulnerabilities and pose severe cybersecurity risks that could be leveraged for espionage and infrastructure disruption.

The threat actors cited in the ban — Volt Typhoon, Flax Typhoon, Salt Typhoon, and most recently APT28 — are real, documented, and dangerous. But a close examination of how each of these campaigns actually operated reveals a pattern the FCC's geographic framing cannot explain: the routers being exploited are overwhelmingly compromised through operational failures that have nothing to do with where the hardware was manufactured. Default credentials. Unpatched firmware. Management interfaces exposed to the public internet. End-of-life devices running years past their last security update. These are the actual attack surfaces, and they exist across every brand and every country of origin.

This article walks through the documented evidence, campaign by campaign.

Volt Typhoon and the KV Botnet: End-of-Life American-Brand Routers

Volt Typhoon is a Chinese state-sponsored threat group first publicly identified by Microsoft in May 2023. Its operational signature is patient, quiet pre-positioning inside U.S. critical infrastructure — communications, manufacturing, utilities, transportation, maritime, government, IT, and education — with the assessed goal of establishing persistent access for potential future disruption during a geopolitical crisis.

The group's primary tool for obfuscating its activity was the KV Botnet, a network of compromised SOHO routers that served as covert proxy nodes, making it extremely difficult to trace attack traffic back to its actual origin. The KV Botnet's composition tells the real story of how these compromises happened.

According to the U.S. Department of Justice, which authorized the FBI's January 2024 takedown of the botnet, the devices comprising the KV Botnet were predominantly Cisco RV320/325 routers and Netgear ProSAFE firewalls — American-headquartered brands — that had reached end-of-life status. Their manufacturers had stopped issuing security patches. The devices were, in the Justice Department's own words, "vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates."

Black Lotus Labs researcher Danny Adamitis, whose team at Lumen Technologies tracked the KV Botnet extensively, was blunt about the root cause: the botnet was "made up primarily of end-of-life products that are vulnerable to critical security issues. Vendors have stopped shipping security patches for these devices, meaning they will remain unpatched. The only solution is to rip and replace these things."

After the FBI disrupted the botnet in January 2024, Volt Typhoon rebuilt it. SecurityScorecard's STRIKE Team documented the group compromising roughly 30 percent of all internet-exposed Cisco RV320/325 devices within 37 days of the September 2024 resurgence. When asked what specific vulnerability was being exploited, the researchers told BleepingComputer: "We don't know specifically what weakness or flaw is being exploited. However, with the devices being end of life, updates are no longer provided."

The pattern is unambiguous. The attack surface was not Chinese manufacturing or foreign supply-chain sabotage. It was abandoned hardware running unpatched firmware — hardware made by Cisco and Netgear, companies headquartered in San Jose and San Jose, respectively.

APT28 / Fancy Bear: The GRU's DNS Hijacking Campaign

On April 7, 2026 — two weeks after the FCC announced its router ban — the FBI, NSA, CISA, and intelligence partners from fifteen countries released a joint public service announcement documenting an active Russian GRU campaign exploiting consumer routers worldwide. The operation, attributed to APT28 (also known as Fancy Bear and Forest Blizzard), was the GRU's 85th Main Special Service Center (Unit 26165).

The campaign, which Lumen's Black Lotus Labs codenamed FrostArmada, had been operational since at least mid-2024. APT28 compromised SOHO routers — primarily TP-Link and MikroTik devices — and modified their DHCP/DNS settings to point downstream traffic through attacker-controlled DNS resolvers hosted on virtual private servers. Every device on the compromised network — laptops, phones, tablets — inherited the poisoned DNS settings automatically via DHCP. When victims attempted to access services like Microsoft Outlook Web Access, the malicious resolvers served fraudulent DNS records that redirected them to adversary-in-the-middle (AitM) infrastructure, where authentication credentials and OAuth tokens were harvested in real time.

How did APT28 get into the routers? The UK's National Cyber Security Centre (NCSC), which published the companion advisory, identified the primary vector for TP-Link devices as CVE-2023-50224 — a vulnerability that allows an unauthenticated attacker to extract stored credentials, including admin passwords, via specially crafted HTTP GET requests. Having obtained the credentials, the attacker sends a second crafted request to rewrite the router's DNS settings.

The NCSC described the campaign as opportunistic and automated: APT28 cast a wide net, compromising routers in bulk, then filtering the resulting victim pool at each stage to identify targets of intelligence value — military, government, critical infrastructure, and research institutions.

At its peak in December 2025, more than 18,000 unique IP addresses across 120-plus countries were communicating with APT28's infrastructure. The FBI conducted a court-authorized operation (codenamed Operation Masquerade) to remotely reset the DNS settings on compromised U.S. routers, restoring legitimate resolvers.

Note what is absent from the entire advisory chain — FBI, NSA, CISA, NCSC, and Lumen's Black Lotus Labs combined. There is no mention of hardware-level backdoors. No mention of supply-chain tampering at the manufacturing stage. No mention of firmware deliberately compromised before shipping. The attack exploited a known software vulnerability (CVE-2023-50224) in devices running unpatched firmware with default or weak credentials and management interfaces exposed to the internet. The identical operational pattern — exploit unpatched vulnerability, extract default credentials, modify DNS settings — was applied to both TP-Link (Taiwanese-Chinese brand) and MikroTik (Latvian brand) hardware. The country of manufacture was irrelevant to the attack chain.

The FBI's own remediation guidance for affected users is a catalog of operational hygiene, not hardware replacement directives: replace routers that no longer receive support, update to the latest firmware, change default usernames and passwords, disable remote management interfaces from the internet.

Horse Shell: The Firmware-Agnostic Implant

In May 2023, Check Point Research published a detailed technical analysis of a custom firmware implant called Horse Shell, deployed by the Chinese APT group Camaro Dragon (which overlaps significantly with the group tracked as Mustang Panda). The implant was discovered on TP-Link routers targeting European foreign affairs entities.

Horse Shell provided three capabilities: remote shell execution on the infected router, file transfer to and from the device, and SOCKS proxy tunneling for traffic anonymization. It was sophisticated, well-engineered malware — and it had absolutely nothing to do with TP-Link as a manufacturer.

Check Point's researchers stated this explicitly in their technical report: the implanted components "were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors." The research lead, Itay Cohen, told TechTarget that while there are always additional protections a vendor could implement, "TP-Link implements several security mechanisms to make it harder for attackers to exploit their devices... overall, the security isn't bad."

Check Point further acknowledged that they did not know how the attackers initially compromised the routers, but assessed it was "likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication."

As XDA Developers noted in their analysis of the FCC ban, no government agency and no independent security researcher has published evidence of an intentional backdoor in a TP-Link router — or in any other major consumer router affected by the ban. The Horse Shell malware was something attackers built and deployed after compromising the device through conventional means. The same techniques work against Cisco, Netgear, Fortinet, ASUS, and any other vendor whose devices are running vulnerable firmware with weak credentials.

The Numbers: 81 Percent Haven't Changed the Default Password

The operational failure problem is not subtle. It is not edge-case. It is the overwhelming norm.

Broadband Genie's 2025 router security survey, polling 3,242 users, found that 81 percent of broadband users have never changed their router's default administrative password. That represents only a five-percentage-point improvement from 2024. Eighty-four percent have never updated their router's firmware. Sixty-nine percent have never changed their Wi-Fi password. Forty-seven percent have never adjusted any factory settings whatsoever.

An IBM/Instana survey in early 2025 found even worse numbers: 86 percent of router users had never changed the default admin password, 89 percent had never updated firmware, and 52 percent had never adjusted any factory settings at all.

These default credentials are not secret. Websites like routerpasswords.com maintain publicly accessible, community-driven databases cataloging default usernames and passwords for virtually every router manufacturer on the planet. The Mirai botnet, which first appeared in 2016 and remains active in evolved forms today, achieves initial compromise by cycling through a hardcoded list of approximately 60 common default username/password pairs against devices with open Telnet or SSH ports. It requires no zero-day vulnerability, no supply-chain compromise, and no nation-state sophistication. It requires a router that was plugged in and never configured.

The 10-year CVE data tells a complementary story. An analysis of National Vulnerability Database records from 2016 through 2026 found that D-Link leads all router manufacturers with roughly 500 documented vulnerabilities, followed by Netgear's consumer line at approximately 450, and TP-Link at around 409. When filtered to critical and high-severity CVEs only (CVSS 7.0+) — the vulnerabilities that enable remote code execution and full device takeover — D-Link has 245, TP-Link has 205, and Netgear's consumer products are in the same range. The vulnerability landscape is not materially different between Chinese-manufactured and American-headquartered brands. Both produce consumer hardware with comparable rates of serious security flaws. Both depend on end users to apply patches that the vast majority of end users never apply.

The ASUS KadNap Botnet: American Routers, Same Problem

For those inclined to view the TP-Link and MikroTik compromises as evidence of a specifically Chinese or Eastern European problem, the ASUS KadNap botnet provides a useful counterpoint. First observed in August 2025, KadNap infected more than 14,000 edge devices, with ASUS routers comprising the majority of victims — over 60 percent located in the United States. The attack exploited authentication-bypass vulnerabilities and unpatched firmware in ASUS's AiCloud-enabled router models. The earlier Operation WrtHug campaign documented similar exploitation of ASUS devices, conscripting more than 50,000 routers into an espionage-focused botnet.

ASUS is a Taiwanese company — not Chinese — and was already subject to a 2016 FTC consent decree requiring 20 years of independent security audits after the agency found that ASUS routers shipped with default credentials of "admin/admin" and a vulnerability in their cloud storage feature that exposed over 12,900 consumers' connected storage devices. A decade later, ASUS routers are still being compromised in bulk through the same category of operational failures.

What the FCC's Own Advisory Partners Actually Recommend

Perhaps the most telling evidence comes from the remediation guidance issued by the very agencies whose findings the FCC cited to justify the ban. Neither the FBI, nor the NSA, nor CISA, nor the NCSC recommends replacing foreign-made routers with domestic ones. Their guidance is consistently operational:

The FBI's IC3 advisory (PSA260407, April 7, 2026) instructs users to "upgrade end-of-support devices, update to latest firmware versions, change default usernames and passwords, and disable remote management interfaces from the Internet." The NCSC's companion advisory recommends keeping firmware updated, restricting management interface access, and enabling multi-factor authentication. CISA's standing guidance on SOHO router security emphasizes automated update capabilities, management interfaces restricted to LAN-side ports only, and the elimination of default credentials.

None of these agencies — the same agencies whose national-security determination the FCC implemented — prescribe geography-of-manufacture as a meaningful security control.

The Structural Contradiction

The FCC's ban creates a structural contradiction that the cybersecurity community has noted with some exasperation. The policy targets new router models from foreign manufacturers — the devices most likely to incorporate modern security features like automatic firmware updates, WPA3 encryption, and unique-per-device credentials. It explicitly grandfathers existing devices, including aging hardware running years-old firmware with known vulnerabilities and default passwords. And it cuts off firmware updates for grandfathered devices after March 1, 2027, guaranteeing the creation of millions of permanently unpatched endpoints.

As the Internet Governance Project observed, the policy paradoxically targets the very devices most likely to have modern, auto-updating security features while allowing insecure, aging devices to remain in service indefinitely. Matt Wyckhouse, CEO of Finite State, noted that the FCC has effectively banned all new routers, since no domestic manufacturer currently meets the criteria — meaning the near-term effect is to freeze the installed base at its current security posture and prevent the introduction of newer, potentially more secure hardware.

Jason Soroko of Sectigo put the diagnostic failure plainly: by fixating on silicon origin rather than maintenance rigor, the directive conflates supply-chain provenance with the far more pervasive threat of administrative complacency. Jake Williams, a former NSA hacker, was even more direct: a standards-based approach would deliver better security outcomes, because you can make a secure router anywhere in the world if you enforce the right requirements, and you can make an insecure one domestically just as easily.

The Alternative That Already Exists

The European Union's Cyber Resilience Act, which entered into force in December 2024 with full compliance required by December 2027, takes a fundamentally different approach. It mandates that all products with digital elements sold in the EU — regardless of country of manufacture — meet enforceable cybersecurity standards: unique default passwords, mandatory vulnerability disclosure programs, automatic security updates for a defined minimum period, transparency about software bills of materials, and secure-by-default configurations. The regulation is technology-neutral and geography-neutral. It addresses the actual attack surfaces documented in every major router compromise campaign of the past three years.

The FCC chose the other path: a blanket geographic prohibition that does not require a single router — foreign or domestic — to meet any specific cybersecurity standard. A router manufactured in Texas with default credentials of admin/admin, no automatic update mechanism, and its management interface exposed to the public internet would be fully compliant with the FCC's new framework. A TP-Link router manufactured in Vietnam with unique per-device credentials, WPA3 encryption, automatic firmware updates, and a locked-down management interface would be banned.

That is not a cybersecurity policy. That is a trade policy wearing a cybersecurity costume.

Conclusion

The documented record across Volt Typhoon (Cisco/Netgear end-of-life devices), APT28/FrostArmada (TP-Link and MikroTik compromised via unpatched CVEs and default credentials), Camaro Dragon/Horse Shell (firmware-agnostic malware deployable on any vendor's hardware), KadNap (ASUS devices exploited via authentication bypass), and the standing consumer survey data (81-89 percent of users never changing default passwords or updating firmware) tells a consistent and unambiguous story.

Router compromises overwhelmingly stem from operational failures: default credentials left unchanged, firmware patches never applied, management interfaces left exposed to the public internet, and end-of-life devices kept in service years past their last security update. These vulnerabilities exist across domestic and foreign hardware alike. No government agency investigating these campaigns has identified country of manufacture as a causal factor. Every remediation advisory from the FBI, NSA, CISA, and NCSC prescribes operational fixes, not geographic sourcing requirements.

The FCC's ban addresses a threat model that does not match the documented reality of how routers are actually compromised. Whether that mismatch reflects genuine misunderstanding, institutional inertia, or the convenient alignment of a national-security narrative with protectionist economic objectives is a question readers can evaluate for themselves. The technical record, at least, is clear.

Sources: U.S. Department of Justice (KV Botnet disruption, January 2024; Operation Masquerade, April 2026); FBI IC3 PSA260407 (April 7, 2026); NSA press release (April 7, 2026); UK NCSC advisory, "APT28 exploit routers to enable DNS hijacking operations" (April 7, 2026); Lumen Black Lotus Labs / SecurityScorecard STRIKE Team (KV Botnet and FrostArmada analysis); Check Point Research, "The Dragon Who Sold His Camaro" (May 2023); Broadband Genie Router Security Survey (2025); IBM/Instana router security survey (2025); 5Gstore 10-year CVE analysis (April 2026); Fing / KadNap botnet analysis (March 2026); FCC Fact Sheet DOC-420034A1 (March 23, 2026); FCC FAQs on Covered List (updated March 31, 2026); Dark Reading, "Is the FCC's Router Ban the Wrong Fix?" (March 2026); Tech Insider, "FCC Foreign Router Ban 2026: National Security Impact" (March 2026).