FBI Warns of Russian-Linked VPNFilter Router Malware Collecting Network Data and Rendering Devices Inoperable

vpnfilter russian-linked malware infect routersHundreds of thousands of Internet routers have been infected by a malware threat that is capable of blocking web traffic, collecting personal information, and disabling devices. What the FBI is claiming to be a sophisticated malware threat that is linked to Russia, has proliferated a global network of Internet routers accounting for at least 500,000 routers in 54 countries.

On Friday, May 25th, the FBI issued a public service announcement on their Internet Crime Complaint Center (IC3) website, Alert Number I-052518-PSA, warning how foreign cyber actors have targeted home and office routers around the world. Within the FBI public service announcement, the bureau outlined that the size and scope of the infrastructure impacted by what is called a VPNFilter malware is "significant."

The VPNFilter malware was found to be a vicious threat that could render Internet routers commonly used in homes and small offices inoperable. Furthermore, the threat could collect data that passes through the router, which puts victimized users at serious risk of having their personal information stolen or accessed by hackers.

Reportedly, according to American and European intelligence agencies, a network of hundreds of thousands of routers are under the control of the Sofacy Group, which is known as APT 28 and Fancy Bear. Both entities are believed to be directed by Russia's military intelligence agency. Looking at the history of the hacker actors of APT 28 and Fancy Bear, they are both revealed as being the responsible parties for hacking the Democratic National Committee just before the 2016 US presidential election.

What you should do if you suspect your router is infected with the VPNFilter malware

Currently, the FBI has recommended to owners of home office or small office router equipment reboot their device as a first step to thwarting the VPNFilter malware. Oddly enough, by rebooting a potentially infected router, the malware will be temporarily disrupted. Moreover, the FBI suggests that users upgrade their router device's firmware and select a new secure password. It is also a good suggestion to disable any remote-management software if such is used on a potentially infected router.

Department of Justice moves promptly to cripple VPNFilter malware

The website domain of toknowall.com is suspected to be a culprit in the Sofacy network's ability to launch its VPNFilter attack on routers. The toknowall.com domain is believed to be a command-and-control access point for the malware, which the US Justice Department has sought and received permission to take down.

In a recent Justice Department statement, Scott W. Brady, United States Attorney for the Western District of Pennsylvania, said in relation to the permission to take down the command-and-control domain, that "This court-ordered seizure will assist in the identification of victim devices and disrupts the ability of these hackers to steal personal and other sensitive information and carry out disruptive cyberattacks."

The threat intelligence division for Cisco, Talos, initially released the estimates of 500,000 routers being affected by the VPNFilter malware. Talos also drew a surprising similarity in VPNFilter's code and that of the variations of BlackEnergy malware, which was at one time responsible for several large attacks on vulnerable devices in Ukraine. Fundamentally, Talos suspects that the VPNFilter malware could have issues that reach far beyond a compromised password. In fact, VPNFilter's ability to render routers useless could have global implications not yet seen. Just think, hundreds of thousands of routers are decidedly inoperable leaving many personal systems and businesses without Internet access causing monetary losses on a massive scale.

For now, if any computer user or a small business entity is unsure of their routers being affected by VPNFilter, it is best that they promptly reboot their router and proceed to update the device's firmware.

2 Comments

  • Keith tanner:

    It is all very well telling us to upgrade firmware and select a new password.
    But, less than a handful will be able to understand that let alone do it.
    In any event, my router’s password is built in there is no way I could change it.

  • SyntaxxxErr0r:

    If you want my two cents on the latest wave of malware attacks, i´ve noticed that a lot of these breaches have all stemmed from one in particular suite of programs... Of which just SO happens to be largely commandeered by a Russian firm, Known as Mirantis.. with its Maiden hackonista, Miss DINA BELOVA in the lead... shes a pretty one, but shes a fickle one, and clearly she likes to play with her food, i have been from what i can tell a favorite target of hers to use as a guinea pig...

    Not only do i think that 90% of the whole openstack suite is malware. but very very very clearly and obviously.. NOVA and OSLO are GLOBAL HONEY POTS! and almost no one has been batting a lash at many of the clues of the Suites ill intentions that are hiding in plain sight... I have done every bit of effort i can to NOT install any part of Openstack... Finally though it seems as if they have legitimately managed to get this one in on me, as i have been pulling my beard out for weeks now it seems over the connectivity issues... Only just this week ive started having NetworkManager tell me that i don´t have permission to activate or deactivate a connection, when i am given all the right access groups and permissions without being root. and it most definitely does smell of STATE/Govt shenanigans, i´ve been trying to formalize my theory on why or what was going on for the last year or so on my own research, but after reading an article on threat post... how all in all it seems intended to disable and prevent any form of encrypted communication. only people who would want to eliminate ones ability secure their communication with other groups and individuals would be that of a tyrant, or the strong arm of the law who just wants to be a bully.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.