DoJ Cripples VPNFilter Botnet, But Doesn't Slay It
The U.S. Department of Justice announced that it has disrupted the VPNFilter botnet revealed by Cisco's Talos Intelligence Group. After obtaining permission from Pennsylvania courts, the FBI seized a domain used by the botnet's command-and-control infrastructure, effectively crippling its ability to act on infected devices. Yet the Justice Department was careful to note that VPNFilter has been crippled, not slain outright.
Cisco said when it revealed VPNFilter that more than 500,000 devices in 54 countries--with a particular focus on Ukraine--had been compromised by the botnet. The malware targeted small and home office (SOHO) products from Linksys, Netgear, TP-Link, and MikroTik, as well as unidentified NAS devices. These products make particularly good targets because they're rarely protected by antivirus solutions and other security tools.
Targeting SOHO products and NAS devices also gives VPNFilter's operators plenty of options. Cisco said the malware could be used to collect information that passes through the infected devices, to conduct attacks that appeared to be conducted by their victims, and even to render the devices completely inoperable, which could in turn potentially disrupt the internet access of hundreds of thousands of people.
Cisco also said that it had noticed two spikes in VPNFilter activity in May (one on May 8, one on May 17) which is why the company decided to reveal the botnet's existence before finishing its research. It's no wonder, then, why the Justice Department announced that it was taking action to disrupt VPNFilter the same day it was revealed. VPNFilter isn't a potential problem; it's considered a real threat to national security.
Here's what the Justice Department said about its efforts to disrupt VPNFilter:
In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure. This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).
The Justice Department also advised anyone who owns SOHO or NAS products that may have been infected by VPNFilter to restart their devices. That should temporarily remove the second stage of the malware from the device, and even though the first stage will linger and attempt to reinstall the second stage, the FBI's seizure of the domain used by VPNFilter's command-and-control infrastructure should block those efforts.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
VPNFilter Appears To Be The Work Of Russian Hackers
Cisco didn't attribute VPNFilter to any particular organization, but it did talk about what nation-state actors could do with the botnet, prompting fears that it was controlled by a government organization. The Justice Department went a step further and outright attributed VPNFilter to the Sofacy Group, which also goes by APT28, Fancy Bear, Pawn Storm, and other aliases and has been active since at least 2007.
The FBI and Department of Homeland Security said in December 2016 that the Sofacy Group was connected to Russian intelligence services and government officials. Combine that with VPNFilter's apparent focus on Ukraine, where Russia currently holds a military presence, and the connection between this botnet and an organization with at least some loose ties to the Russian government becomes even clearer.
That doesn't mean other countries have nothing to fear from the botnet, however. Cisco said it had already found infected devices in 53 countries outside Ukraine, and the apparent targets (Linksys, Netgear, etc.) ship products around the world. Hence the Justice Department's swift response.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
Microsoft preparing Lunar Lake Surface and Surface Pro laptops for 1Q25, says report – new Surface Laptop Studio and an 11-inch Surface also on the horizon
Camouflage eSports monitors launched by JAPANNEXT – but you probably won't see them in stores
Zero-day Windows NTLM hash vulnerability gets patched by third-party — credentials can be hijacked by merely viewing a malicious file in File Explorer
-
vladimir.berezin52 russian hackers in america? what <mod edit> is this?Reply
<Moderator Warning: Watch your language in these forums> -
vladimir.berezin52 What I am trying to say is that, the servers for this malware are inside united states that is how FBI was able to disrupt the attack, so why blame another country for its wrong doing?Reply -
bit_user
Did it say that? Or maybe just the domain?20997313 said:What I am trying to say is that, the servers for this malware are inside united states that is how FBI was able to disrupt the attack,
You think web hosting providers require proof of citizenship? Dude, it's the internet. Virtually anyone can rent hosting virtually anywhere.20997313 said:so why blame another country for its wrong doing? -
LORD_ORION Russian clown...Reply
A better troll would be to say"Haha... Russia stole tools from NSA and now uses them against 5 eyes" -
bit_user
Maybe they're now trying to make themselves look so bad at trolling that they can't possibly be influencing elections...20998725 said:Russian clown...
A better troll would be to say"Haha... Russia stole tools from NSA and now uses them against 5 eyes"