Global Russian-Linked Router Malware Even Worse Than Originally Stated

from the Putin-gonna-Putin dept

Late last month, the FBI announced that hackers working for the Russian government had managed to infect roughly 500,000 routers in 54 countries with a particularly-nasty piece of malware known as VPN Filter. The malware, which infected routers from vendors like Linksys, MikroTik, Netgear, TP-Link, and certain network-attached storage devices from companies like QNAP, gave attackers the ability to track a victim’s internet usage, launch attacks on other networks, and permanently destroy the devices upon command.

A subsequent Cisco advisory about the malware noted that the infection rate steadily increased since it was first observed sometime in 2016:

“Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries…The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols.”

A subsequent report by The Daily Beast noted that the FBI had managed to seize a key domain being used to manage the massive botnet of infected devices. The report also managed to obtain an FBI affidavit highlighting that the hacking group behind the malware was none other than Sofacy, aka Fancy Bear, Sednit, and Pawn Storm — the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee (unless you’re one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).

As is usually the case with these kinds of security issues, new data from Cisco indicates that the malware has since evolved into something even more nasty than the original variant:

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,? Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. ?But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they?re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

The new, updated Cisco analysis is well worth a read for those that are interested, and notes that in addition to being more powerful than originally stated, the malware is also targeting a far larger volume of hardware vendors than originally believed, including gear from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The vulnerabilities being exploited that allow VPN Filter to be installed vary from device to device, as do the steps needed to identify whether a router is infected and how to purge it of the malware.

Originally, the FBI issued a statement indicating that owners of potentially-impacted devices simply needed to reboot their routers to thwart the infection, thanks to the FBI’s seizure of the controlling domain.

But it’s now clear that rebooting alone only temporarily disrupted the botnet, and doesn’t purge the infection. The interesting bit: it’s incredibly difficult for ordinary end users to even know if their router is infected, meaning that to be safe, users may need to wipe their routers completely and restore them to factory defaults. After that, the standard caveats usually apply: make sure to update your router to the latest firmware, disable remote administration functionality, and make sure you change any default username and password combinations the device may have shipped with.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Global Russian-Linked Router Malware Even Worse Than Originally Stated”

Subscribe: RSS Leave a comment
I.T. Guy says:

“users may need to wipe their routers completely and restore them to factory defaults”
Good luck with that.

I update BIOSsz and firmware all the time. On machines that I do not own. Still, every time I do one I cringe until its finished knowing that any error could brick the device.

I know there has to be firmware updates for my P50 and my X99A. Not to mention my 3 servers and my kids 8470p.

I am a bad I.T. Guy on this front I will admit.
Great… now I feel guilty. Guess what I will be doing this weekend?

Anonymous Coward says:

Re: Re:

Good luck with that.

There’s the reliability problem you mention, and then there’s the security problem: you can’t just pop a card out of the device and reflash it. Realistically you’re going to be trusting the software on the router to accept and store the updated image; even the "failsafe" and "bootloader" recovery modes are just software that could have been corrupted by the malware. The only way to really make sure it happens is to crack it open and solder a JTAG connector.

That is what the FBI and state police do says:

Re: Speaking to the "DNC hacked itself" bit

The state and local police and various criminal beaureaus, and the FBI do the .zip files too.

Sometimes they pre-stage the .zips online, upload, and then later, do a black bag job to get the actual system.

And, on rare occasions- they get a warrant first. Very rarely in fact.

Haha. Just kidding. They dont use warrants anymore, King George/s!

Anonymous Coward says:

Back to blaming those pesky "Russians"!

the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee

Believed by YOU neo-liberal partisans.

> (unless you’re one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated)

Who’s clinging to THAT "narrative"? (Guccifer 2 is not reliable source, anyway.) The most likely scenario is that DNC Admin tech Seth Rich copied the files. — Kim Dotcom STATES THIS! — Seth Rich was murdered! He’s definitely dead, but if Techdirt ever even mentioned THAT narrative, a dead guy is just coincidence.

Personanongrata says:

When isn't a Hack a Hack? When it's a Leak

(unless you’re one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).

Psst… psst… it wasn’t a hack it was a leak.

Italicized/bold text was excerpted from a report titled Guccifer 2.0 NGP/VAN Metadata Analysis found at

The initial copying activity was likely done from a computer system that had direct access to the data. By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN)

Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation. This transfer rate can be achieved when files are copied over a LAN or when copying directly from the host computer’s hard drive. This rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).

Italicized/bold text was excerpted from a report titled Guccifer 2’s West Coast Fingerprint found at

In the first part of this report, we documented our analysis, which provided support for the conclusion that Guccifer 2 may have been operating out of a GMT+3 time zone region. However, when we place that conclusion against our finding that a document uploaded by Guccifer 2 (in a similar time frame) was likely last saved in a location on the West Coast, US we have to question our GMT+3 findings.

We must now give serious consideration to the idea that all 25 documents (uploaded in three batches over the course of a month) were all generated on the West Coast, US. Guccifer 2 was possibly working on a VM and/or using a VPN that vectored through Romania or Russia. Here is how that shift will look if all 25 files were last saved on the West Coast (PDT).

Italicized/bold text was excerpted from a report titled The CIA’s Absence of Conviction found at

Craig Murray, the former UK ambassador to Uzbekistan, who is a close associate of Assange, called the CIA claims “bullshit”, adding: “They are absolutely making it up.”

“I know who leaked them,” Murray said. “I’ve met the person who leaked them, and they are certainly not Russian and it’s an insider. It’s a leak, not a hack; the two are different things.

Italicized/bold text was excerpted from a report titled Intel Vets Challenge ‘Russia Hack’ Evidence found at

Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computer. After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device.

Doctor_Frankenstein (user link) says:


“..still clinging to the flimsy narrative that the DNC hacked itself…”
Here’s a narrative: What the U.S. gov. tells Americans and the idiotic masses that actually believe the spoon fed bullshit that America is the good guys fighting global villians and doing everything in the name of freedom, democracy, and awesomeness. VS Knowing the truth that America is a Country built on wars, lies, and exploitation. Most of the world doesn’t see the Russians as the aggressive evil bad guys that’s out to “get” America. Evey time I see crap like this I shake my head. The more the U.S. gov. pushes obvious bullshit propaganda the more idiotic they seem. lolz 🙂

You should date the girl in this TED talk I’m sure you’d get along really well. [if you don’t watch it at least look at the comments]

Anonymous Coward says:

No talk about the American and Israeli malware on the other hand

Attacking the Russians for some routers to bury the story of the Mossad linked malware on millions of routers placed mostly in the middle-east and Iran that’s been there stealing data and spying for at least 6-7 years.
No reason to mention that, nope, nice work citizen, Big Brother says you did a good job.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...