Last Friday, the FBI issued an urgent official warning about a Russian botnet that uses VPNFilter malware to launch a widespread hacking campaign, which is compromising hundreds of thousands of routers and other networked devices in homes or small businesses around the world. The government agency advised owners to reboot their devices in an effort to disrupt the malicious software.
“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices,” the bureau’s cyber division wrote in the Public Service Announcement. “Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”
The FBI said the threat actors used VPNFilter malware to target their victims. VPNFilter is capable of various actions, including information gathering, exploitation of connected devices, such as computers, and blocking network traffic. It targets routers produced by multiple different manufacturers and network-attacked storage devices by at least one manufacturer; and is capable of rendering them inoperable. The malware can also likely gather information passing through the router. Its detection can be difficult because of “its use of encryption and misattributable networks”.
Cybersecurity experts say VPNFilter has infected some 500,0000 devices globally. Experts at Talos, the security arm of Cisco, performed an analysis, which also detected the attack’s presence in at least 54 different countries. Talos warned that the code of this malware overlaps with versions of the BlackEnergy malware, the same malware behind multiple large-scale attacks that previously targeted devices in Ukraine.
“While this isn’t definitive by any means”, the Talos report reads, “we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.”
Talos cautioned that they had not finished their report yet, but “felt it was best” to publish its current findings “so that affected parties can take the appropriate action to defend themselves”.
VPNFilter has been quietly spreading since at least 2016, according to researchers. Device manufacturers include Linksys, MikroTik, Netgear and TP-Link.
“More than half a million routers have been identified already as being compromised, so I think there are a significant number of devices that have been affected and it is difficult to estimate how many devices could be affected in the coming days or week,” Shuman Ghosemajumder, chief technology officer at Shape Security told NBC News.
U.S. intelligence officials say that the VPNFilter botnet was set up by a hacking group known in different iterations, including APT28 and the Sofacy Group. The group was involved in the operation to hack into the Democratic Party during the 2016 U.S. election campaign.
“According to cybersecurity researchers, the Sofacy Group is a cyber-espionage group believed to have originated from Russia,” the Department of Justice said in a court filing.
“Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value, through a variety of means,” it said.