The Department of Justice announced an effort to disrupt a global network of hundreds of thousands infected home and office internet routers last week. The network, referred to by the DOJ and the FBI as “VPNFilter” targets home and office networks and infects them with destructive computer programs known as malware.
According to the FBI the malware works in several stages. In the first stage, the code gains entry into a system and establishes a foothold which allows the deployment of subsequent stages.
In the second stage, the malware carries out intended cyber-attacks which include data compromise, the unauthorized transfer of that data to “home” computers (a process known as data exfiltration) and device management.
Some versions of the code are equipped with a self-destruct capability, which works by deleting a critical portion of the device’s system code, and then rebooting the device. That process basically renders a device unusable.
The code is believed to be the work of a group of cyber actors known as the Sofacy Group. The group is also known as “fancy bear” and “apt28,” and has been on the radar of law enforcement officials for some time – targeting government, military and security organizations since about 2007.
It is also largely believed that the group is responsible for the hacking of the Democratic National Committee’s computer systems during the 2016 presidential election. Thousands of emails from DNC officials were stolen and posted online during the summer of 2016.
The group is largely believed to be associated with, if not run outright by, the military intelligence services of the Russian government.
While stage 2 of the malware does not survive a reboot, stage 1 does, making it different from other forms of malware that do not persist through a reboot of an infected device.
In order to identify infected devices the DOJ obtained court orders authorizing the seizure of an internet domain that is part of the malware’s command-and-control infrastructure. That seizure allows attempts by stage 1 of the malware to reinfect a device to be rerouted to an FBI-controlled server which will attempt to capture a unique, identifying mark of the infected device known as its IP address.
According to tech giant Cisco, at least 500,000 devices in fifty-four countries have been infected. The known devices affected include Linksys, MikroTik and NETGEAR brand routers.
The DOJ and FBI said their actions show new, proactive approaches they are taking when it comes to cyber-attacks and cyber-espionage.
“The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that,” said Assistant Attorney General for National Security John C. Demers, in a statement emailed to ITN.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”
“This action by the FBI, DOJ, and our partners should send a clear message to our adversaries that the U.S. Government will take action to mitigate the threats posed by them and to protect our citizens and our allies even when the possibility of arrest and prosecution may not be readily available,” added FBI Special Agent in Charge David J. LeValley.
“As our adversaries’ technical capabilities evolve, the FBI and its partners will continue to rise to the challenge, placing themselves between the adversaries and their intended victims.”
Photo by Sean MacEntee via Flickr