The FBI is working to disrupt a massive, sophisticated Russia-linked hacking campaign that officials and security researchers say has infected hundreds of thousands of network devices across the globe.
The Justice Department late Wednesday announced an effort to disrupt a botnet known as “VPNFilter” that compromised an estimated 500,000 home and office (SOHO) routers and other network devices. Officials explicitly linked the botnet to the cyber espionage group known as APT 28, or Sofacy, believed to be connected to the Russian government.
Officials said that the U.S. attorney’s office for the western district of Pennsylvania has obtained court orders allowing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure. This will allow officials to redirect attempts by the malware to reinfect devices to an FBI-controlled server, thereby protecting devices from being infected again after rebooting.
Assistant Attorney General for National Security John C. Demers in a statement described the effort as the “first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”
Cybersecurity researchers first began warning of the destructive, sophisticated malware threat on Wednesday. Cisco’s Talos threat intelligence group said in a blog post Wednesday that VPNFilter had infected at least 500,000 devices in 54 or more countries.
The researchers had been tracking the hacking threat for several months and were not ready to publish their findings, but when the malware began infecting devices in Ukraine at an “alarming rate,” they decided to publish their research early.
“Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries,” the researchers wrote.
The malware targets home and office routers and what are known as network-access storage (NAS) devices, hardware devices that store data in one, single location but can be accessed by multiple individuals — creating a massive system of infected devices, commonly known as a botnet.
VPNFilter also uses two stages of malware, an unusual set up that makes it more difficult to prevent a device from being re-infected after it is rebooted. The FBI on Wednesday urged individuals whose devices may have been infected to reboot them as soon as possible.
The FBI is also also soliciting help from a nonprofit known as the Shadowserver Foundation, which will pass the IP addresses to internet service providers, foreign computer emergency teams and others to help stem the damage.
The malware is the latest sign of the growing cyber threat from Russia. News of the outbreak comes roughly a month after senior U.S. and British officials blamed the Russian government for coordinated cyberattacks on network devices in an effort to conduct espionage and intellectual property theft.
The U.S. has also blamed Moscow for the global cyberattack known as notPetya that ravaged computers across the globe last summer, calling it the most destructive and costly cyberattack in history.
The code of VPNFilter has similarities with version of another malware known as BlackEnergy, which was used in an attack on Ukraine’s power grid in late 2015. The Department of Homeland Security has linked the malware to the Russian government.