Global Russian-Linked Router Malware Even Worse Than Originally Stated

from the Putin-gonna-Putin dept

Late last month, the FBI announced that hackers working for the Russian government had managed to infect roughly 500,000 routers in 54 countries with a particularly-nasty piece of malware known as VPN Filter. The malware, which infected routers from vendors like Linksys, MikroTik, Netgear, TP-Link, and certain network-attached storage devices from companies like QNAP, gave attackers the ability to track a victim's internet usage, launch attacks on other networks, and permanently destroy the devices upon command.

A subsequent Cisco advisory about the malware noted that the infection rate steadily increased since it was first observed sometime in 2016:

"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries...The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols."

A subsequent report by The Daily Beast noted that the FBI had managed to seize a key domain being used to manage the massive botnet of infected devices. The report also managed to obtain an FBI affidavit highlighting that the hacking group behind the malware was none other than Sofacy, aka Fancy Bear, Sednit, and Pawn Storm -- the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee (unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).

As is usually the case with these kinds of security issues, new data from Cisco indicates that the malware has since evolved into something even more nasty than the original variant:

"Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device."

The new, updated Cisco analysis is well worth a read for those that are interested, and notes that in addition to being more powerful than originally stated, the malware is also targeting a far larger volume of hardware vendors than originally believed, including gear from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The vulnerabilities being exploited that allow VPN Filter to be installed vary from device to device, as do the steps needed to identify whether a router is infected and how to purge it of the malware.

Originally, the FBI issued a statement indicating that owners of potentially-impacted devices simply needed to reboot their routers to thwart the infection, thanks to the FBI's seizure of the controlling ToKnowAll.com domain.

But it's now clear that rebooting alone only temporarily disrupted the botnet, and doesn't purge the infection. The interesting bit: it's incredibly difficult for ordinary end users to even know if their router is infected, meaning that to be safe, users may need to wipe their routers completely and restore them to factory defaults. After that, the standard caveats usually apply: make sure to update your router to the latest firmware, disable remote administration functionality, and make sure you change any default username and password combinations the device may have shipped with.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    I.T. Guy, 8 Jun 2018 @ 7:43am

    "users may need to wipe their routers completely and restore them to factory defaults"
    Good luck with that.

    I update BIOSsz and firmware all the time. On machines that I do not own. Still, every time I do one I cringe until its finished knowing that any error could brick the device.

    I know there has to be firmware updates for my P50 and my X99A. Not to mention my 3 servers and my kids 8470p.

    I am a bad I.T. Guy on this front I will admit.
    Great... now I feel guilty. Guess what I will be doing this weekend?

    reply to this | link to this | view in thread ]

  2. identicon
    pegr, 8 Jun 2018 @ 7:55am

    Speaking to the "DNC hacked itself" bit

    If I'm stealing data from a compromised target, I wouldn't copy each file individually. I'd pack them up in an archive file then transfer that. Nobody has mentioned that AFAIK.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 8 Jun 2018 @ 8:25am

    Re:

    Good luck with that.

    There's the reliability problem you mention, and then there's the security problem: you can't just pop a card out of the device and reflash it. Realistically you're going to be trusting the software on the router to accept and store the updated image; even the "failsafe" and "bootloader" recovery modes are just software that could have been corrupted by the malware. The only way to really make sure it happens is to crack it open and solder a JTAG connector.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 8 Jun 2018 @ 8:26am

    Re: Speaking to the "DNC hacked itself" bit

    Are you speaking from a position of experience or just arm-chair hacking?

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 8 Jun 2018 @ 8:27am

    Re: Speaking to the "DNC hacked itself" bit

    Nothing was stolen in the DNC's case, just copied. If stolen, the target would notice that their data's missing.

    reply to this | link to this | view in thread ]

  6. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 8 Jun 2018 @ 9:16am

    Back to blaming those pesky "Russians"!

    the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee

    Believed by YOU neo-liberal partisans.

    > (unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated)

    Who's clinging to THAT "narrative"? (Guccifer 2 is not reliable source, anyway.) The most likely scenario is that DNC Admin tech Seth Rich copied the files. -- Kim Dotcom STATES THIS! -- Seth Rich was murdered! He's definitely dead, but if Techdirt ever even mentioned THAT narrative, a dead guy is just coincidence.

    reply to this | link to this | view in thread ]

  7. identicon
    pegr, 8 Jun 2018 @ 10:19am

    Re: Re: Speaking to the "DNC hacked itself" bit

    No comment. Lol!

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 8 Jun 2018 @ 10:43am

    Re: Back to blaming those pesky "Russians"!

    For someone who claims to be against globalism you seem to get all uppity whenever the Russians get mentioned...

    reply to this | link to this | view in thread ]

  9. identicon
    Baron von Robber, 8 Jun 2018 @ 11:05am

    Re: Re: Back to blaming those pesky "Russians"!

    Hasn't had vodka in the past 8 hours. Very cranky Russian.

    reply to this | link to this | view in thread ]

  10. icon
    That Anonymous Coward (profile), 8 Jun 2018 @ 11:11am

    It sure is nice they can't even bother to tell us the truth.

    This is much worse than reported.
    There are hard steps you have to take to make sure you're not infected.

    Seems really different than the, oh just reboot when you get around to it and it'll all be fine.

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 8 Jun 2018 @ 11:45am

    Re: Back to blaming those pesky "Russians"!

    Are you lost? InfoWars is over there.

    reply to this | link to this | view in thread ]

  12. identicon
    Personanongrata, 8 Jun 2018 @ 4:47pm

    When isn't a Hack a Hack? When it's a Leak

    (unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).

    Psst... psst... it wasn't a hack it was a leak.

    Italicized/bold text was excerpted from a report titled Guccifer 2.0 NGP/VAN Metadata Analysis found at theforensicator.wordpress.com:

    The initial copying activity was likely done from a computer system that had direct access to the data. By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN)

    Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation. This transfer rate can be achieved when files are copied over a LAN or when copying directly from the host computer’s hard drive. This rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).

    https://theforensicator.wordpress.com/guccifer-2-ngp-van-metadata-analysis/

    Italicized/bol d text was excerpted from a report titled Guccifer 2’s West Coast Fingerprint found at theforensicator.wordpress.com:

    In the first part of this report, we documented our analysis, which provided support for the conclusion that Guccifer 2 may have been operating out of a GMT+3 time zone region. However, when we place that conclusion against our finding that a document uploaded by Guccifer 2 (in a similar time frame) was likely last saved in a location on the West Coast, US we have to question our GMT+3 findings.

    We must now give serious consideration to the idea that all 25 documents (uploaded in three batches over the course of a month) were all generated on the West Coast, US. Guccifer 2 was possibly working on a VM and/or using a VPN that vectored through Romania or Russia. Here is how that shift will look if all 25 files were last saved on the West Coast (PDT).

    https://theforensicator.wordpress.com/2018/05/29/guccifer-2s-west-coast-fingerprint/

    Italiciz ed/bold text was excerpted from a report titled The CIA’s Absence of Conviction found at www.craigmurray.org.uk:

    Craig Murray, the former UK ambassador to Uzbekistan, who is a close associate of Assange, called the CIA claims “bullshit”, adding: “They are absolutely making it up.”

    “I know who leaked them,” Murray said. “I’ve met the person who leaked them, and they are certainly not Russian and it’s an insider. It’s a leak, not a hack; the two are different things.

    https://www.craigmurray.org.uk/archives/2016/12/cias-absence-conviction/

    Italicized/bold text was excerpted from a report titled Intel Vets Challenge ‘Russia Hack’ Evidence found at consortiumnews.com:

    Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computer. After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device.

    https://consortiumnews.com/2017/07/24/intel-vets-challenge-russia-hack-evidence/

    reply to this | link to this | view in thread ]

  13. identicon
    Doctor_Frankenstein, 8 Jun 2018 @ 8:38pm

    hahaha

    "..still clinging to the flimsy narrative that the DNC hacked itself..."
    Here's a narrative: What the U.S. gov. tells Americans and the idiotic masses that actually believe the spoon fed bullshit that America is the good guys fighting global villians and doing everything in the name of freedom, democracy, and awesomeness. VS Knowing the truth that America is a Country built on wars, lies, and exploitation. Most of the world doesn't see the Russians as the aggressive evil bad guys that's out to "get" America. Evey time I see crap like this I shake my head. The more the U.S. gov. pushes obvious bullshit propaganda the more idiotic they seem. lolz :)

    You should date the girl in this TED talk I'm sure you'd get along really well. https://www.youtube.com/watch?v=TO-_kVIkY6A [if you don't watch it at least look at the comments]

    reply to this | link to this | view in thread ]

  14. identicon
    That is what the FBI and state police do, 8 Jun 2018 @ 10:27pm

    Re: Speaking to the "DNC hacked itself" bit

    The state and local police and various criminal beaureaus, and the FBI do the .zip files too.

    Sometimes they pre-stage the .zips online, upload, and then later, do a black bag job to get the actual system.

    And, on rare occasions- they get a warrant first. Very rarely in fact.

    Haha. Just kidding. They dont use warrants anymore, King George/s!

    reply to this | link to this | view in thread ]

  15. identicon
    Jjim, 9 Jun 2018 @ 6:57am

    Actually!

    All that does, is verify my contention. The Hillery email leak was from the FBI or the Senate committee. Not from the server.

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, 10 Jun 2018 @ 9:38am

    Re: Back to blaming those pesky "Russians"!

    save your breath, if your against the democrats you're a sneaky evil Russian bear mutant, oh and an incel, and misogynist, and racist, AND A NAZI.

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 10 Jun 2018 @ 9:46am

    No talk about the American and Israeli malware on the other hand

    Attacking the Russians for some routers to bury the story of the Mossad linked malware on millions of routers placed mostly in the middle-east and Iran that's been there stealing data and spying for at least 6-7 years.
    No reason to mention that, nope, nice work citizen, Big Brother says you did a good job.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.