An analysis by Talos, the threat intelligence division for the tech giant Cisco, estimated that at least 500,000 routers in at least 54 countries had been infected by the malware, which the FBI and cybersecurity researchers are calling VPNFilter.
Hoping to thwart a sophisticated malware system linked to Russia that has infected hundreds of thousands of internet routers, the FBI has made an urgent request to anybody with one of the devices: Turn it off, and then turn it back on.
The malware is capable of blocking web traffic, collecting information that passes through home and office routers and disabling the devices entirely, the bureau announced Friday.
A global network of hundreds of thousands of routers is already under the control of the Sofacy Group, the Justice Department said last week.
That group, which is also known as APT 28 and Fancy Bear and believed to be directed by Russia’s military intelligence agency, hacked the Democratic National Committee before the 2016 presidential election, according to U.S. and European intelligence agencies.
Most Read Nation & World Stories
The FBI has several recommendations for any owner of a small-office or home-office router.
The simplest thing to do is reboot the device, which will temporarily disrupt the malware if it is present.
Users are also advised to upgrade the devices’ firmware and to select a new secure password. If any remote-management settings are in place, the FBI suggests disabling them.
An analysis by Talos, the threat intelligence division for the tech giant Cisco, estimated that at least 500,000 routers in at least 54 countries had been infected by the malware, which the FBI and cybersecurity researchers are calling VPNFilter.
Among the affected networking equipment it found during its research were devices from manufacturers including Linksys, MikroTik, Netgear and TP-Link.
To disrupt the Sofacy network, the Justice Department sought and received permission to seize the web domain toknowall.com, which it said was a critical part of the malware’s “command-and-control infrastructure.”
Now that the domain is under FBI control, any attempts by the malware to reinfect a compromised router will be bounced to an FBI server that can record the IP address of the affected device.
“This court-ordered seizure will assist in the identification of victim devices and disrupts the ability of these hackers to steal personal and other sensitive information and carry out disruptive cyberattacks,” Scott W. Brady, U.S. attorney for the Western District of Pennsylvania, said in the statement.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” said Assistant Attorney General for National Security John Demers.
And FBI Special Agent in Charge Bob Johnson said: “These hackers are exploiting vulnerabilities and putting every American’s privacy and network security at risk.” Johnson encouraged people and businesses to update their network equipment and change their passwords — though he cautioned “there is still much to be learned about how this particular threat initially compromises infected routers and other devices.”
The analysis by Talos noted significant similarities between VPNFilter’s computer code and “versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.”
In Talos’ assessment, the threats posed by VPNFilter extend far beyond the personal problems created by stolen passwords: Under the right circumstances, an attack could have a global reach.
“The malware has a destructive capability that can render an infected device unusable,” it said, “which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”
Much of the attention at first focused on the apparently imminent threat in Ukraine: The malware showed up in devices there at such “an alarming rate” in recent weeks that the researchers believed hackers linked to a state government were preparing an extensive cyberattack on the country, the researchers said.
While the researchers themselves did not name Russia, they did say the malware had some of the same hallmarks of recent Russian government-backed hacking campaigns that took out parts of the country’s power grid.
The latest campaign fits a pattern of influence operations the Russian government has used in recent years to upend life in Ukraine as part of a strategy to exert influence on the digital stage, said Nina Jankowicz, a fellow at the Wilson Center.
“Ukraine has always been a proving ground for Russian cyberactivity,” she said. “Russia is asserting its cyber prowess. It wants the United States and the West to know what it’s capable of without having to launch an attack on a Western government, which would draw retribution.”
Yet in this case, it’s not surprising that the threat was a priority for U.S. law enforcement — and not just because Russia has been in the spotlight for its interference campaign in the 2016 election.
Earlier this year, the White House publicly blamed Russia for the NotPetya cyberattack in June 2017, when Russian military hackers shut down networks across Ukraine and wiped data from financial firms, government offices and other institutions around the world. The White House said it was the “most destructive and costly cyberattack in history” and vowed that it would “be met with international consequences.”
Craig Williams, the head of Talos’ security team, called VPNFilter the “Swiss army knife for malware.”
In addition to using it for espionage purposes, the malware has the potential to intercept communications on industrial-control systems used throughout the energy sector and by manufacturers, water-treatment facilities and other critical infrastructure operators. It also has a destructive capability known as “bricking” that allows the malware to permanently disable any device infected with it.
By infecting consumer wireless routers, hackers were targeting an especially weak link in computer networking, said Michael Daniel, president of the Cyber Threat Alliance, of which Cisco is a member.
It’s “particularly pernicious because it targets the kind of device that’s difficult to defend,” he told me. “They sit on the edge of the network or on the outside of the firewall. They don’t really have anti-virus for routers.”