The U.S. Federal Bureau of Investigation recommended in a Friday statement that “any owner of small office and home office routers” reboot the devices, hopefully reducing their exposure to a widespread malware attack linked to Russian government actors. The FBI has reportedly seized a server used to escalate the infection, making rebooting an effective way to disable it.
A Cisco cybersecurity team said on Wednesday that at least 500,000 routers in 54 countries were impacted by the malware, known as VPN Filter. The software reportedly targets consumer-level routers used in home and small offices, and is able to both monitor local traffic and even wipe the routers, destroying them and cutting users off from the internet. Routers from Linksys, Netgear, TP-Link, and MikroTik were reportedly vulnerable – though again, the FBI is recommending rebooting all small or home office routers.
Get Data Sheet, Coins2Day’s technology newsletter.
According to reporting by The Daily Beast, VPN Filter is a product of a group known by names including “Sofacy Group” and “Fancy Bear.” The same group was allegedly responsible for the hack of emails from the Democratic National Committee and the Hillary Clinton campaign in 2016, and has been strongly linked to the Russian government.
According to Ars Technica, the VPN Filter malware is “one of the few Internet-of-things infections that can survive a reboot,” because a persistent first stage of the infection can use automated remote systems to install or re-install its second or third stages.
The FBI’s seizure of one of those remote systems, hosted at the ominously-named domain ToKnowAll.com, means the attackers will likely have to use a much more labor-intensive method to re-infect devices after they’re rebooted. Rebooting will also, according to a Department of Justice statement, help the government teams “identify and remediate the infection worldwide,” apparently by tracking communications sent by infected devices after they’re rebooted.
