Last April, U.S. and U.K. officials issued a warning that Russians were behind a major threat to security through business or home smart devices. While the cyber threat was directed initially towards home and business routers running IoT devices, the attack would eventually move on to a massive scale involving water filtration systems and power lines. Sounding like a page from a spy novel, it sounds unlikely in the post-Cold War era but the FBI followed this up with another warning in late May.
According to Reuters, Russian hackers had breached thousands of home routers in the U.S. and could gather information or even shut down traffic. Some quarters considered this to be another witch hunt, just like what happened with Huawei and ZTE in previous years. In an effort to stem the threat, the FBI shut down a website that would ostensibly be used by the Russian hacker group named Sofacy to beam malicious information affecting about 700,000 routers in homes and businesses across 50 countries. According to FBI most of the susceptible devices were bought online. Cisco Systems Inc. claimed that the targeted routers were from Asus, D-Link, Huawei, Ubiquiti, Upvel, ZTE Linksys, MicroTik, Netgear Inc., TP-link, and QNAP; brands that are extremely popular among home users and favored by Internet providers. Sofacy (aka APT28 and Fancy Bear) was also implicated in hacking the Democratic National Committee in the most recent U.S. Presidential campaign.
According to CISCO, the U.S. is not yet under major attack but that it was the Ukraine that was the ultimate target. In a document shared to both the U.S. and Ukraine governments, it outlined how the malware caused millions in damages in the Ukraine and was behind a major power outage.
“The VPNFilter malware is a multistage, modular platform with versatile capabilities to support both intelligence collection and destructive cyberattack operations.” — Cisco
This particular VPNFilter malware is hard to detect due to encryption so it is best to be cautious. It has 3 stages and persisting to subsequent stages after a reboot at Stage 1 is possible. This is so different from other malware infecting smart devices which seldom survive a reboot. The FBI suggests rebooting your router and downloading updates to disrupt the malware’s action. Though that cut-off communication, there were still infected routers to deal with. It is strongly advised that remote management settings be disabled and passwords changed regularly.
The size and scope of the infrastructure by VPNFilter malware is significant…capable of rendering peoples’ routers inoperable. – FBI
Experts further recommend resetting of SOHO (small home and office) routers and NAS (network-attached storage) devices to factory defaults aside from simply rebooting. Users should also coordinate with their Internet Providers who can reboot SOHO routers and manufacturers to ensure that the most recent patches are installed.
Is this a modern-day “Hunt for Red October”?