Hundreds of thousands of Internet routers have been infected by a malware threat that is capable of blocking web traffic, collecting personal information, and disabling devices. What the FBI is claiming to be a sophisticated malware threat that is linked to Russia, has proliferated a global network of Internet routers accounting for at least 500,000 routers in 54 countries.
On Friday, May 25th, the FBI issued a public service announcement on their Internet Crime Complaint Center (IC3) website, Alert Number I-052518-PSA, warning how foreign cyber actors have targeted home and office routers around the world. Within the FBI public service announcement, the bureau outlined that the size and scope of the infrastructure impacted by what is called a VPNFilter malware is "significant."
The VPNFilter malware was found to be a vicious threat that could render Internet routers commonly used in homes and small offices inoperable. Furthermore, the threat could collect data that passes through the router, which puts victimized users at serious risk of having their personal information stolen or accessed by hackers.
Reportedly, according to American and European intelligence agencies, a network of hundreds of thousands of routers are under the control of the Sofacy Group, which is known as APT 28 and Fancy Bear. Both entities are believed to be directed by Russia's military intelligence agency. Looking at the history of the hacker actors of APT 28 and Fancy Bear, they are both revealed as being the responsible parties for hacking the Democratic National Committee just before the 2016 US presidential election.
What you should do if you suspect your router is infected with the VPNFilter malware
Currently, the FBI has recommended to owners of home office or small office router equipment reboot their device as a first step to thwarting the VPNFilter malware. Oddly enough, by rebooting a potentially infected router, the malware will be temporarily disrupted. Moreover, the FBI suggests that users upgrade their router device's firmware and select a new secure password. It is also a good suggestion to disable any remote-management software if such is used on a potentially infected router.
Department of Justice moves promptly to cripple VPNFilter malware
The website domain of toknowall.com is suspected to be a culprit in the Sofacy network's ability to launch its VPNFilter attack on routers. The toknowall.com domain is believed to be a command-and-control access point for the malware, which the US Justice Department has sought and received permission to take down.
In a recent Justice Department statement, Scott W. Brady, United States Attorney for the Western District of Pennsylvania, said in relation to the permission to take down the command-and-control domain, that "This court-ordered seizure will assist in the identification of victim devices and disrupts the ability of these hackers to steal personal and other sensitive information and carry out disruptive cyberattacks."
The threat intelligence division for Cisco, Talos, initially released the estimates of 500,000 routers being affected by the VPNFilter malware. Talos also drew a surprising similarity in VPNFilter's code and that of the variations of BlackEnergy malware, which was at one time responsible for several large attacks on vulnerable devices in Ukraine. Fundamentally, Talos suspects that the VPNFilter malware could have issues that reach far beyond a compromised password. In fact, VPNFilter's ability to render routers useless could have global implications not yet seen. Just think, hundreds of thousands of routers are decidedly inoperable leaving many personal systems and businesses without Internet access causing monetary losses on a massive scale.
For now, if any computer user or a small business entity is unsure of their routers being affected by VPNFilter, it is best that they promptly reboot their router and proceed to update the device's firmware.