The FBI took control of a massive botnet believed to have been run by hackers working for the Kremlin. The Malware, known as VPNFilter, was found by researchers working at CISCO Talos. VPNFilter grants hackers to hijack routers turning them into a malicious VPN network used by hackers to mask their actual IP address during subsequent attacks.
According to a report released on 23 May, the payload has been in the wild since 2016 at the very least. It is suspected to have infected around 500,000 machines covering 54 countries. Talos stated that the intricacy of the modular malware system likely means it was a state-sponsored attack.
FBI agents have stated that the threat actor is probably Sofacy – a collective hacking run by the Kremlin that has been notorious under a multitude of names over the past five years like APT28, Sednit, Fancy Bears, Pawn Storm, Grizzly Steppe, STRONTIUM, and Tsar Team. Affidavit Excerpt:
“The Sofacy group is a cyber-espionage group believed to have originated from Russia. Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value.”
VPNFilter uses a multi-stage attack vector similar to other router based exploits. Once it accesses a victim’s router, it communicates with a Command and Control (CnC) server to download additional payloads.
The secondary stage of the exploit grants the hackers to intercept traffic, steal data, perform file collection, and execute commands. There is also the possibility that additional payloads may have been delivered infecting network devices attached to the router.
FBI Takes Control
After months of monitoring the situation, security researchers working with the FBI were successful in pinpointing the domain name used by the advanced hackers.
In an affidavit filed on 23 May, it has been revealed that agents were on it since August when they were willingly given access to an infected router by a Pittsburgh resident.
When news of the infection became public, the FBI acted swiftly to get a warrant from a Pennsylvania judge to take control of the toKnowAll.com domain.
With CnC domain under FBI control, consumers around the world have been asked to reboot their device so that it can phone home. It will help the feds have a clear view of exactly how many devices were affected around the world. The FBI stated that it intends to make a list of all infected IP addresses in order to contact ISPs, private, and public sector partners, to clean up after the global infection – ahead of the setup of a new malicious CnC server to reestablish the botnet.