The Federal Bureau of Investigation said in a statement on 25 May 2018 that foreign cyber actors had used a malware program known as VPNFilter to infect “hundreds of thousands” of home and office routers and other networked devices worldwide.
People using small office and home office routers have been advised to reboot their devices, as well as update their firmware and disable the ability for it to be susceptible to remote access. VPNFilter reportedly has at least one component that cannot be expunged through a simple reboot, making it easier for the user’s device to be re-infected. At least two commercial router manufacturers, Linksys and Netgear, have posted guides for users to follow in securing their devices.
The bureau’s warning came two days after a report from the Cisco Talos Intelligence Group estimating that at least 500,000 devices in more than fifty countries had been infected with the VPN filter malware.
“The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” the group said in its report.
Officials have reportedly linked the spread of VPNFilter to a group known by the names Apt 28 and Sofacy, which has in turn been connected to the Russian government.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John C. Demers said in a statement from the Justice Department.
Talos said in its report that it noted a “sharp spike” on 8 May 2018 in the number of devices infected with VPNFilter, nearly all of them located in Ukraine; that particular infection, the group said, was also different than the one hitting devices in other countries. It recorded another “substantial increase” nine days later in the same country.
“This continued to drive our decision to publish our research as soon as possible,” Talos said.