The United States Federal Bureau of Investigation and Department of Justice dealt a blow to a sophisticated Russian botnet that security researchers referred to as VPNFilter. They did it by seizing a key domain used to perpetuate the attacks. In doing so, the agencies effectively disrupted a malicious effort that was able to infect hundreds of thousands of routers and network storage devices.
Security researchers estimate that at least 500,000 network devices scattered across 54 countries were unwittingly part of the botnet. According to Talos Intelligence, VPNFilter affected devices build by several notable brands, including Linksys, MikroTik, Netgear, and TP-Link in the small and home office (SOHO) space, along with QNAP-brand network attached storage (NAS) storage devices. Other vendors, including Cisco, do not appear to have been affected.
"Today's announcement highlights the FBI's ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices," said Assistant Director Scott Smith. "By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI's work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware."
The pesky botnet uses several stages of malware to infiltrate routers and NAS boxes. The second stage of the malware can easily be cleared from a device by simply rebooting it, but the first stage is able to survive a reboot, making it difficult to prevent a re-infection by the second stage.
That's where seizing the domain comes into play. The FBI took control of a domain that is part of the malware's command-and-controller infrastructure and is now able to redirect attempts by stage one of the malware to an FBI-controller server. This should stop the infection from spreading, though the onus is still on device makers to issue firmware patches and software updates.
According to the DoJ, the group responsible for VPNFilter has been operating since at least 2007 and has targeted government, military, security organizations, and other entities of perceived intelligence value.