FBI Takes Aim at 500000 Strong Russian Router Botnet

Lloyd Doyle
May 25, 2018

The malware can then be used to steal communications and launch attacks on others.

Researchers are still unaware how these devices are getting affected. There has been a sudden surge of attacks in the past weeks, specifically in Ukraine, a seemingly favorite target for cyber warfare.

"At the time of this posting, we have not been able to acquire a third-stage plugin that would enable further exploitation of the network served by the device".

As detailed by the researchers, the stage 1 malware persists through a reboot, which normal malware usually does not, with the main objective of the first stage to gain a persistent foothold and enable the deployment of the stage 2 malware.

The FBI has put a spoke in the wheel of a major Russian digital disruption operation potentially aimed at causing havoc in Ukraine, evidence pieced together from researchers, Ukrainian officials and US court documents indicates. The malware contains sniffers that can collect login credentials and gain supervisory control.

"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities", Assistant Attorney General for National Security John Demers said in a statement obtained by Reuters. The malware also makes it possible for the attackers to obfuscate themselves by using the devices as nondescript points for connecting to final targets.

"In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have", Cisco added.

VPNFilter, as the Cisco researchers dubbed the advanced malware, is one of the few Internet-of-things infections that can survive a reboot, but only the first stage has this capability.

The Kremlin and St Basil's Cathedral in Moscow
Image The Kremlin has been accused of multiple acts of cyber aggression in recent years

"The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices".

Cisco and Symantec both steered clear of attributing the VPNFilter malware to any particular actor, but an Federal Bureau of Investigation affidavit explicitly attributed it to Fancy Bear, the same group that hacked into the Democratic National Committee in 2016 and has been linked to a long series of digital intrusions stretching back more than a decade.

"Defending against this threat is extremely hard due to the nature of the affected devices", it said.

An advanced malware attack, believed to be developed by a nation-state actor, has been discovered by Cisco's Talos Intelligence research division.

The researchers had been tracking the hacking threat for several months and were not ready to publish their findings, but when the malware began infecting devices in Ukraine at an "alarming rate", they chose to publish their research early.

Cisco Talos has created and deployed more than 100 Snort signatures for the publicly known vulnerabilities affecting the devices targeted by VPNFilter, and has engaged in blacklisting the domains associated with the threat.

Netgear said it's aware of VPNFilter and was advising its users to update their routers.

Other reports by Iphone Fresh

Discuss This Article