1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

FBI seizes domain used by Russian hackers to infect 500,000 routers

By midian182 · 9 replies
May 24, 2018
Post New Reply
  1. The FBI has seized control of a key domain that was used to infect 500,000 infected routers in 54 countries. The move comes after security reports from Cisco and Symantec revealed a modular, multi-stage malware dubbed VPNFilter, which can collect data, infect other devices, steal credentials, and even destroy a device.

    According to an FBI affidavit (via the Daily Beast), Kremlin-linked hacking group Sofacy, also known as Fancy Bear, was behind the operation. The same attackers were responsible for a number of past incidents, the most famous being the 2016 hack of the Democratic National Committee.

    There are several stages to VPNFilter that make it particularly malicious. The first stage sees the malware write itself to device’s memory so it persists even after a reboot, making it one of the few types of IoT malware that’s able to do this. Stage 2 covers file collection, command execution, data exfiltration, and device management. It’s this stage that can also overwrite a critical portion of a device’s firmware, rendering it unusable.

    Stage 3 contains at least two plugin modules: a packet sniffer for collecting traffic, including website credentials, and a communications module that allows stage 2 to communicate over Tor.

    Ukraine's SBU security service said the malware proved Russia was getting ready for a major cyberattack on the country “aimed at destabilizing the situation” during the Champions League soccer final in Kiev on Saturday and possibly the country’s annual Constitution Day celebrations.

    The FBI, which has been investigating the campaign since August, received permission from a federal judge in Pennsylvania to seize ToKnowAll.com. The domain hosted a backup server for uploading the second stage of VPNFilter to infected routers if the primary method, which used Photobucket, was unsuccessful.

    Vikram Thakur, technical director at Symantec, said the FBI had now effectively killed the malware’s ability to reactivate following a reboot.

    “This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement.

    Here is a list of all affected routers. If you own one of these models, you should follow Cisco and Symantec's advice and perform a factory reset.

    • Linksys E1200
    • Linksys E2500
    • Linksys WRVS4400N
    • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
    • Netgear DGN2200
    • Netgear R6400
    • Netgear R7000
    • Netgear R8000
    • Netgear WNR1000
    • Netgear WNR2000
    • QNAP TS251
    • QNAP TS439 Pro
    • Other QNAP NAS devices running QTS software
    • TP-Link R600VPN

    Permalink to story.

  2. VitalyT

    VitalyT Russ-Puss Posts: 4,176   +2,615

    Will the Fancy Bear group get a fancy jail treatment? If not, then it is all for naught, as they will get new domains and new routers in no time.

    They are supposed to be going after the individuals and people who help them, first of all. Simply seizing their tools is a waste of time and tax payer's money. It's like saying they've captured guns from the bank robbers, and letting robbers leave with the loot.
    Last edited: May 24, 2018
  3. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,179   +1,192

    Of course not.... they're Russians - and almost certainly paid by the Kremlin - if anything, they'll get medals!

    This is just so the FBI Cyber Division can say "they're doing something" to combat cyber-terrorism...
  4. Uncle Al

    Uncle Al TS Evangelist Posts: 4,627   +3,081

    Perhaps our new CIA Director will be a bit more aggressive and start an "elimination campaign" as used to be done years ago. That gets the word around quickly and takes away some of the bravery of these state sponsored terrorists.
  5. TomSEA

    TomSEA TechSpot Chancellor Posts: 2,995   +1,378

    Agreed. The state-sponsored hacking done by the Russians has long grown beyond the "isn't that cute" stage. Enough is enough.

    I'd like to see some real efforts and punishments on these clowns and the government that is openly sponsoring these activities.
  6. grinninglibber

    grinninglibber TS Rookie

    His job is to cover for the Russians
  7. Lionvibez

    Lionvibez TS Evangelist Posts: 1,418   +576

    I have a R7000 but running Asus firmware so and since there are no asus routers on the list looks like I'm good to go.
  8. havok585

    havok585 TS Booster Posts: 176   +43

    A lot of political lefty comentary here, along with the OP's quote " the most famous being the 2016 hack of the Democratic National Committee. " comment, which never was proven, just hearsay.

    It seems all went into acute amnesia after Snowden revelations and Wikileaks showing real proof ( not hearsay) that hacking tools that have the capability to make it look like the attack originated from a designated country at a finger's touch were out in the open for years !

    Sigh, this amnesia is killing us.
    Impudicus, JaredTheDragon and wizardB like this.
  9. Kenrick

    Kenrick TS Evangelist Posts: 630   +403

    Good read from the external links. These routers should be fixed asap and there should be a way where manufacturers have a exclusive mailing list so everyone who bought their products should subscribe for security alerts.
  10. Jack F00bar

    Jack F00bar TS Rookie

    It's not amnesia. It's willful ignorance. The Left survive on it. They still think Republicans were the slave owners. Wait until the guy investigating this 'Russian influence' is found to be the person that transferred 20% of the USA's Uranium production to them. Asking them to read evidence is like asking them to eat their own tongues. It will never happen, even if it's right in front of their face.

    JaredTheDragon likes this.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...