According to Cisco’s threat intelligence division Talos, an estimated 500,000 routers in 54 countries have been infected by malware that the FBI and cybersecurity experts refer to as VPNFilter. The Justice Department has warned that routers are already under control of the Sofacy Group, which is reportedly directed by Russia’s military intelligence agency. Devices from Linksys, MikroTik, Netgear, QNAP and TP-Link are believed to be among the affected equipment. The FBI has requested that owners of home and office routers turn them off and turn them back on. Rebooting the routers will disrupt the malware if present. Users are also encouraged to upgrade firmware, disable remote-management settings, and select a new password.
American and European intelligence agencies claim that the Sofacy Group, AKA Fancy Bear and APT28, was responsible for hacking the Democratic National Committee before the 2016 U.S. presidential election. ETCentric first reported on the group’s latest malware attack last week.
“The VPNFilter malware is a multistage, modular platform with versatile capabilities to support both intelligence collection and destructive cyberattack operations,” explains Cisco in its report.
“The malware is capable of blocking web traffic, collecting information that passes through home and office routers, and disabling the devices entirely,” reports The New York Times.
“To disrupt the Sofacy network, the Justice Department sought and received permission to seize the web domain toknowall.com, which it said was a critical part of the malware’s ‘command-and-control infrastructure,’” notes NYT. “Now that the domain is under FBI control, any attempts by the malware to reinfect a compromised router will be bounced to an FBI server that can record the IP address of the affected device.”
VPNFilter’s code is significantly similar to that of the BlackEnergy malware that has targeted devices in the Ukraine. Cybersecurity researchers warn that such malware could trigger large-scale attacks with a global reach.
“Because the malware could collect data from the user and even perform a large -scale destructive attack, Cisco recommends that owners of SOHO or network attached storage (NAS) devices be especially cautious with this type of attack,” explains Digital Trends. “And since it’s unclear how compromised devices were infected in the first place, officials are urging users of all routers and NAS devices, not just the 14 devices identified by Cisco, to reboot.”