Known as “VPNFilter,” the malware currently infecting routers appears to be the first stage in a multi-phase attack, with the first segment allowing the hackers to collect a wide range of communications data and slave the device to launch attacks on others. The code also contains a kill command that allows the hackers to destroy the device at will.
As of now, the FBI has already taken swift action and has seized a domain used by the hackers as a means to deliver the later stages of the attack. They report that the primary and secondary means of further infection have been dismantled. They also report, however, that the hackers still have a fallback method of infection, which relies on sending “poisoned” data packets to each infected device.
Based on an evaluation of the code and the presence of redundant mechanisms for delivering the later stages of the infection, the code has been traced to a Russian hacking group with deep ties to the Russian government. The group is known by a variety of names, including Fancy Bear, Sofacy, APT 28, and Pawn Storm.
On the heels of seizing the domain, the FBI released a statement that includes:
“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”