Since 2016, a highly advanced and organized hacking organization – likely run by a hostile state – has been infecting internet routers around the world with a powerful piece of malware that researchers call VPNFilter. The malware was being researched and followed in secrecy, but recent events have prompted researchers at Cisco’s Talos research division to publish their incomplete findings prematurely. What is VPNFilter, who’s spreading it, what does it do – and what has the researchers at Talos so worried?
VPNFilter is a highly advanced, multi-functional piece of malware that has infected over 500,000 routers and network-compatible storage devices around the world. In their report, the researchers repeatedly emphasize that the malware is highly advanced and will survive regular reboots – something that usually wipes out most router-based malware.
The malware has nothing to do with VPNs. Its name – VPNFilter – is based on one of the directories the malware creates to hide itself. It also helps describe a few of the many functions this malware can perform. It can be used much like a VPN to mask the state actor’s attacks, and it can also read any communications heading through the router.
When I need to use a bullet list to describe what a piece of malware does, you know it’s bad:
Don’t forget that the researchers’ work is not yet complete, so neither is this list. There are other functions to this highly developed piece of malware that they can only guess at, but they know they’re there. The malware is capable of working with new plugins that the hostile owner can send to the victim after the initial infection is complete.
Due to the highly advanced and modular nature of the malware, as well as the effort that has been taken to anonymize its owners, the researchers at Talos believe that the malware was created by a hostile state. Due to recent developments, many reporters suspect that this hostile state may be Russia.
The recent development that prompted the researchers to publish their incomplete findings was a rapid, steep increase in the number of infected devices in Ukraine. The malware in Ukraine was spread along a specialized network dedicated entirely to that country, and after the military seizure of the Crimean peninsula by Russia in 2014, Russia remains the most likely suspect state to target Ukraine.
In addition, the FBI just seized a server being used by the malware’s operators. The evidence uncovered suggests that it is being run by the same group of Russian hackers – the Sofacy Group – who were allegedly responsible for the 2016 hacking of the Democratic National Convention’s servers.
Unfortunately, since the researchers at Talos haven’t yet completed their work, the rest of us can only speculate at what else this malware can do and how we can protect ourselves. Here’s what we do know:
UPDATE (May 28th): The New York Times has reported that the FBI is urging internet users to reboot their routers in response to the VPNFilter threat. However, as the article notes, this is will only “temporarily disrupt” the malware. As the Talos security report notes, “The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.” It would make sense, then, that the malware can be re-uploaded to your router at any time unless you take more drastic measures.
Fortunately, the NYT article makes a few more suggestions, all of which are sound: “Users are also advised to upgrade the device’s firmware and to select a new secure password. If any remote-management settings are in place, the F.B.I. suggests disabling them.”
UPDATE (June 7th): As Talos’ researchers delve deeper into VPNFilter’s code, new details about this powerful malware have begun to surface.
Researchers say the malware is capable of MITM (man in the middle) attacks as well. This means that the hackers can insert themselves between you and your online destination, reading or altering what you send and receive. As an example, they could find out your online banking login details and then alter your online banking display to hide your true balance as they siphon away your money. Alternatively, they could prevent their hundreds of thousands of victims from ever seeing certain articles or alerts online – something that a hostile state might be interested in doing.
To protect yourself from a MITM attack, NordVPN is one of your best bets. Because your data is encrypted right on your device, the attackers won’t be able to read or alter anything that you see online. Of course, the most complete defense against VPNFilter is factory-resetting your router and then giving it the latest firmware updates.
In addition, the number of device brands identified with the malware has risen. In addition to the devices mentioned above, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE devices may also be vulnerable (for more information about which ones might be vulnerable, see the Talos researchers’ update).