FBI Urges People to Reboot Routers to Fend Off Russian Malware

FBI Urges People to Reboot Routers to Fend Off Russian Malware


The FBI says the software targets consumer routers used in home offices and small offices. Now that the domain is under Federal Bureau of Investigation control, any attempts by the malware to reinfect a compromised router will be bounced to an Federal Bureau of Investigation server that can record the IP address of the affected device. That group, also known as A.P.T. 28 and the Sofacy Group, is believed to be directed by Russia's military intelligence agency.

Sofacy, also known as APT28 and Fancy Bear, has been blamed for numerous most dramatic Russian hacks, including that of the Democratic National Committee during the 2016 USA presidential campaign.

Talos continued: "While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country".

The analysis by Talos noted significant similarities between VPNFilter's computer code and "versions of the BlackEnergy malware - which was responsible for multiple large-scale attacks that targeted devices in Ukraine". While cybersecurity experts are still analyzing VPNFilter in order to understand the full scope of its capabilities and intended mission, by this point in time there is agreement that, at a minimum, the malware lets criminals surreptitiously collect information (such as by stealing login and password information when people visit websites using the Internet connection provided by the router) as well as block network traffic and thereby render routers nonfunctional. The announcement from the F.B.I. did not provide any details about where the criminals might be based and their motivations remain unknown.

This VPNFilter malware comes in three stages, and it's important to understand the difference. Among the affected networking equipment it found during its research were devices from manufacturers including Linksys, MikroTik, Netgear and TP-Link.

An FBI official said affected devices were likely purchased at electronic stores or online, though it is not ruling out routers provided by internet service companies.

After a reboot, the malware is created to go back online and reload the applets. Also, be sure to change all default router passwords to strong passwords.

  • Terrell Bush