FBI takes control over Russia's VPNFilter router botnet

The FBI has seized control of a key domain used to control routers infected with  'VPNFilter' malware that US and Ukraine has attributed to Kremlin-backed hackers.

The Justice Department on Wednesday announced the seizure of a single domain, toknowall[.]com, which served as part of the command and control infrastructure used by VPNFilter, the router malware revealed by Cisco’s Talos Intelligence on Wednesday.  

According to the Daily Beast, the FBI on Tuesday convinced a magistrate to issue a seizure warrant ordering domain registrar Verisign to hand control of the web address to the FBI. 

By Wednesday, as details of the VPNFilter were made public, the FBI gained control of the address, allowing it to create a sinkhole and redirect traffic from infected devices to a server under the FBI’s control, rendering the connection useless to the attackers.

The domain seizure will help the US government identify infected devices and begin the process of removing infections. 

VPNFilter has three stages. Unlike most previous examples of IoT malware, the VPNFilter’s Stage 1 malware can persist after a reboot and is responsible for installing subsequent stages that pose a risk to users and potentially entire nations. 

The seized domain allows the FBI to capture the IP addresses of infected routers. Non-profit security group, The Shadowserver Foundation, will distribute the IP addresses to various CERTs and ISPs in the US and abroad.

The most dangerous parts of the VPNFilter, known as Stage 2, allow its controllers to disable a single device or all infected devices at once. This component does not persist after a router is rebooted. However, since Stage 1 will survive a reboot, it may  allow the attackers to re-infect routers after a reboot.    

Cisco reported that over 500,000 routers made by Linksys, MikroTek, Netgear, and TP-Link were infected with the malware. Infections were spread across 54 countries, however its researchers observed a spike in infections in Ukraine in May, prompting its public warning. 

Ukraine issued an alert yesterday alleging Russia was planning to use the infected routers to attack local internet users during this Saturday’s Champions League final in Kiev. Cisco said it could sever internet hundreds of thousands of internet connections at once.  

The Justice Department has blamed VPNFilter on the group of hackers known as Sofacy Group or Fancy Bear, which were held responsible for the Democratic National Committee breach. 

The FBI has been investigating the group since August 2017, according to the Daily Beast. FBI agents in Pittsburgh interviewed a local resident whose router was infected with the malware and she allowed the FBI to plant a network tap on her network that allowed the agents to observe traffic leaving the infected router. 

The Justice Department has published its application to use a pen-trap device. The FBI said it only sought to capture routing and addressing information for the malware’s communications, and not the content of any communications.     

The next stage of the FBI’s counter attack on VPNFilter will involve working with international partners to expose the group behind this malware. 

“By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack,” said Scott Smith, assistant director for the FBI’s Cyber Division.  

“While this is an important first step, the FBI's work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

Tags ciscorussiaBlackEnergy

Show Comments