🔒 Security & Privacy

How three state-sponsored Chinese hacking campaigns turned the humble home router into America’s most dangerous attack surface — and why the FCC finally acted.

⚠ Campaign Threat Assessment

01
Inside the Three Campaigns: How State-Sponsored Hackers Used Your Router

Volt Typhoon: Pre-Positioning Inside the Grid

Volt Typhoon is the most strategically alarming of the three campaigns. Unlike espionage-focused intrusions that seek to steal data and leave, Volt Typhoon’s documented objective — confirmed by CISA and the NSA in a February 2024 advisory — is prepositioning: burrowing deep into US critical infrastructure so that in the event of a military conflict or geopolitical crisis, Chinese operatives could trigger disruptive or destructive effects on command. Their targets span the communications, energy, transportation, and water and wastewater sectors, with a notable concentration around Guam, a critical US military staging point in the Pacific.

Their defining signature is “Living Off the Land” (LOTL) — the use of native operating system tools, legitimate credentials, and standard network utilities rather than custom malware. This approach is brutally effective at evading detection because the attack traffic is nearly indistinguishable from normal administrative activity. In documented cases, Volt Typhoon maintained persistent, undetected access to victim networks for up to five years. Routers — particularly end-of-life Cisco and Netgear devices — served as the critical relay points, masking the origin of attacker traffic by routing commands through compromised home and small-business equipment across the US.

Flax Typhoon: The 260,000-Device Botnet

Where Volt Typhoon is surgical, Flax Typhoon is industrial. Operating through a front company called Integrity Technology Group — which was subsequently sanctioned by the US Treasury — Flax Typhoon constructed a massive botnet of compromised consumer devices. At its peak, the network included approximately 260,000 hijacked routers, IP cameras, DVRs, and network-attached storage drives, the majority located in the United States. The botnet ran on a modified version of the Mirai malware family, designed to infect Linux-based IoT devices.

In September 2024, the FBI obtained court authorization to remotely disinfect thousands of US-based devices as part of a coordinated disruption operation. FBI Director Christopher Wray announced the takedown at the Aspen Cyber Summit, publicly identifying Flax Typhoon as a PRC state-sponsored group for the first time. The Chinese government responded by dismissing the FBI’s characterization as “disinformation.” The botnet infrastructure itself was used to proxy attacks against government and defense contractor networks, allowing operators to route malicious traffic through ordinary American households, making attribution and blocking extraordinarily difficult.

Salt Typhoon: The Worst Telecom Hack in US History

Salt Typhoon represents the most consequential of the three campaigns by almost any measure. Linked to China’s Ministry of State Security (MSS), the group compromised at least nine major US telecommunications providers — including AT&T, Verizon, Lumen Technologies, and T-Mobile — and affected carriers in dozens of additional countries. The breach was first reported by The Washington Post in August 2024 and was publicly confirmed by AT&T and Verizon by late December of that year.

The attack path was sophisticated: Salt Typhoon exploited a zero-day vulnerability in Versa Director, a network management platform, as well as unpatched vulnerabilities in Fortinet and Cisco devices — network-layer equipment that is functionally analogous to high-end routers. By hijacking a single high-level, unprotected network management account at AT&T, the group cascaded access to over 100,000 additional routers within the carrier’s infrastructure. The attackers had access for well over a year before Microsoft threat researchers detected the intrusions.

The data harvested was staggering: metadata from over a million calls and text messages, phone records of staffers from the 2024 presidential campaigns of both Kamala Harris and Donald Trump, and — most alarming — access to the CALEA wiretap systems used by US law enforcement and intelligence agencies for court-authorized surveillance. Officials warned that the attackers may have obtained a near-complete list of individuals under active federal surveillance, information that could be used to identify US intelligence sources and methods.

02
The FCC’s Ban: What It Covers and What It Doesn’t

The FCC’s March 2026 order is sweeping in scope but precise in its application. The ban prohibits the sale of new consumer-grade routers in which “any major stage of the process through which the device is made, including manufacturing, assembly, design and development” occurs outside the United States. This definition — deliberately broad — effectively targets the entire current market. Nearly every router sold in America today is manufactured, assembled, or engineered at least in part outside US borders.

The specific companies most directly in the crosshairs are those the FCC had already placed on its “Covered List” of equipment deemed national security risks: Huawei Technologies, ZTE Corporation, Hytera Communications, Hikvision, and Dahua Technology. These companies have been barred from the FCC equipment authorization program since 2021. TP-Link Systems — which held an estimated 65% of the US consumer router market and had been under active investigation by the Commerce, Defense, and Justice Departments since late 2024 — was a principal accelerant behind the broader action. However, the new order’s scope extends well beyond Chinese brands. Asus (Taiwan), D-Link (Taiwan), Netgear (US-designed, Asian-manufactured), and even Amazon’s Eero brand are all affected, since their devices are produced offshore.

Critically, the ban applies only to new router models not previously authorized by the FCC. Existing routers already in use, and older models already on the market before the order’s effective date, are not subject to recall or mandatory replacement. Router manufacturers may apply for an exemption, subject to approval by the Pentagon — a high bar that reflects the national-security framing of the action. As of the order’s publication, no exemptions had been granted.

For businesses, the implications are both immediate and long-term. Enterprises reliant on foreign-manufactured network equipment for branch offices, retail locations, and small-office deployments face significant procurement challenges as the supply chain adjusts. The order has also reignited debate about whether the US has the domestic manufacturing capacity to fill the gap — a question that industry analysts say will take years, not months, to resolve. In the interim, the FCC guidance is clear: existing devices may remain in service, but organizations should prioritize patching, firmware updates, and segmentation of any foreign-made networking equipment in their infrastructure.

03
The Devices In Your Home That Are Exposed Right Now

The FCC ban focuses on routers because routers are the documented attack vector — but the threat landscape inside a typical American home is considerably wider. The Flax Typhoon botnet, for example, enrolled not just routers but IP cameras, digital video recorders, and network-attached storage drives. Every internet-connected device is a potential foothold, and the security posture of these devices remains, on average, dreadful.

Smart TVs have become a particular concern. Nearly all major smart TV platforms — including those manufactured by Hisense, TCL, and some Vizio product lines — are produced in China and ship with firmware that security researchers have found difficult to audit. Smart TVs are persistently connected, rarely patched, and frequently granted network access that far exceeds what their function requires. They are, in a meaningful sense, under-scrutinized routers with screens.

IP security cameras from manufacturers like Hikvision and Dahua — both already on the FCC Covered List — represent another large exposure surface. Hikvision cameras alone are estimated to account for hundreds of thousands of active installations across US residential and commercial properties. Both companies have faced US government sanctions and restrictions, yet their devices remain widely in service due to long replacement cycles and cost barriers.

Network-attached storage (NAS) devices from Chinese-manufactured brands have been documented as Flax Typhoon botnet nodes. These devices — used by households and small businesses to store backups, media, and sensitive files — often run Linux-based firmware, sit persistently on the network, and are infrequently updated. Their combination of always-on connectivity, local data access, and poor patching hygiene makes them an ideal target for persistent compromise.

The common thread across all these device categories is the same vulnerability that enabled the three Typhoon campaigns: unpatched firmware, default credentials, inadequate authentication, and a consumer market that has never meaningfully priced security into purchasing decisions. The FCC’s router ban addresses one corner of this problem. The rest remains largely unlegislated.

1
Audit your router immediately. Log in to your router’s admin panel and confirm it is running the latest available firmware. If your router is end-of-life (the manufacturer no longer issues updates), replace it — an unpatched router is an open door. Check your router model against CISA’s Known Exploited Vulnerabilities catalog at cisa.gov/known-exploited-vulnerabilities-catalog.

2
Change default credentials — everywhere. Volt Typhoon and Flax Typhoon both exploited devices running factory-default usernames and passwords. Change the admin password on your router, all IP cameras, NAS devices, and smart home hubs. Use a unique, strong password for each device.

3
Disable remote management on your router. Unless you have a specific need, disable remote administration features (often labeled “Remote Management” or “WAN-side access”) in your router settings. Volt Typhoon frequently gained initial access via exposed remote management interfaces.

4
Segment your IoT devices onto a separate network. Most modern routers support a “guest network” or VLAN. Put all smart TVs, cameras, and IoT devices on an isolated network segment that cannot communicate with your computers and phones. This limits lateral movement if any one device is compromised.

5
Check whether your router or cameras appear on the FCC Covered List or CISA advisories. If you own Hikvision or Dahua security cameras, or a TP-Link router purchased before the FCC ban, these devices have documented security concerns and should be prioritized for replacement. Refer to fcc.gov/supplychain for the official Covered List.

6
For businesses: review your entire network equipment inventory. Any foreign-manufactured networking equipment — routers, switches, managed Wi-Fi access points — should be assessed against the latest CISA and NSA guidance. Prioritize replacement of end-of-life devices, enforce MFA on all network management accounts, and monitor for the LOTL techniques documented in CISA Advisory AA24-038A.

📋 Router Brands: FCC Coverage Status

Brand	Origin	FCC Status	Notes
TP-Link Systems	China (US HQ)	⛔ Affected	Primary investigation target; ~65% US market share
Huawei	China	⛔ Covered List	Barred from FCC auth program since 2021
ZTE	China	⛔ Covered List	Barred from FCC auth program since 2021
Asus	Taiwan / China MFG	⚠ New Models Affected	Assembled outside US; existing models unaffected
Netgear	US Design / Asia MFG	⚠ New Models Affected	Manufacturing overseas; seeking exemption
D-Link	Taiwan / China MFG	⚠ New Models Affected	Multiple end-of-life models with known CVEs
Eero (Amazon)	US Design / Asia MFG	⚠ New Models Affected	Manufactured outside US; existing units grandfathered
US-Made (pending MFG shift)	United States	✅ Compliant	Very limited availability as of March 2026; market adjusting

1
What exactly did the FCC ban?

The FCC’s March 2026 order bans the sale of new consumer-grade Wi-Fi routers where any major stage of manufacturing, assembly, design, or development occurs outside the United States. It does not require recall or replacement of existing routers already in service, and it does not apply to router models that already had FCC equipment authorization before the order’s effective date. Manufacturers may apply for Pentagon-reviewed exemptions, but none have been granted as of publication.

2
Are TP-Link routers still safe to use?

Existing TP-Link routers are not subject to mandatory recall under the FCC order. However, TP-Link devices were the subject of active federal investigation by three separate departments, and CISA has documented vulnerabilities in TP-Link firmware. The practical security recommendation is to ensure your TP-Link firmware is fully up to date, disable remote management, change the default admin password, and begin planning for replacement with a device from a manufacturer not under active federal security review. Do not use any TP-Link router that has reached end-of-life status without an active firmware update program.

3
Did the Typhoon attacks actually succeed?

Yes, in documented and confirmed ways. Volt Typhoon achieved multi-year persistent access to US critical infrastructure networks, with CISA confirming compromises in energy, communications, water, and transportation sectors. Flax Typhoon successfully enslaved approximately 260,000 consumer devices into a functional botnet before an FBI court-authorized disruption operation in September 2024. Salt Typhoon successfully breached at least nine US telecom carriers, accessed federal wiretap systems, and harvested metadata from over a million communications — a breach that Senator Mark Warner called the worst telecom hack in US history. Full remediation is still ongoing across multiple carriers as of early 2026.

4
What should I replace my router with?

This is genuinely difficult advice to give in March 2026, because the FCC ban has disrupted the normal supply chain and few fully compliant US-manufactured alternatives are yet widely available. In the short term, security experts recommend prioritizing open-source firmware alternatives (like OpenWrt) on existing hardware from brands not on the Covered List, or considering enterprise-grade SOHO routers from vendors like Cisco Meraki, Ubiquiti, or Firewalla — which, while not immune from the manufacturing question, have stronger security update cadences and more transparent vulnerability disclosure programs. Watch for FCC-approved exempt models as the market adjusts over the coming months.

🔒