Destructive 'VPNFilter' Attack Network Uncovered

More than 500K home/SOHO routers and storage devices worldwide commandeered in potential nation-state attack weapon - with Ukraine in initial bullseye.

2 Min Read
Network Computing logo

A newly unearthed novel and destructive cyberattack infrastructure made up of more than a half-million home and small office routers and network-attached storage devices worldwide has security and equipment vendors, Internet service providers, government officials, and law enforcement scrambling to help clean and patch the infected devices before they're weaponized in an attack.

But given the nature of these typically insecure IoT consumer devices sitting exposed on the public Internet, cleanup and protection won't be simple or even realistic in some cases. 

The so-called VPNFilter is a stealthy and modular attack platform that includes three stages of malware. The first establishes a foothold in the device and unlike previous Internet of Things botnet infections can't be killed with a reboot; the second handles cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

VPNFilter can be used to both spy on and aggressively attack a target nation's network infrastructure, according to researchers at Cisco Talos, who first found the threat. The initial target appears to be Ukraine, where the majority of the infected IoT devices reside, and where the attackers have constructed a subnetwork aimed at that nation, complete with its own command and control server recently placed there.

The malware also includes "an exact copy" of Black Energy, according to Craig Williams, senior threat researcher and global outreach manager for Cisco Talos. Black Energy was used in the game-changer attacks that ultimately shut out the lights in western Ukraine in 2015, thought to be the handiwork of Russia.

So far, the infected devices that make up the backbone of VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices.

Read the rest of this article on Dark Reading.

About the Author(s)

Kelly Jackson Higgins

Executive Editor at Dark Reading

Kelly Jackson Higgins is Executive Editorat She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, CommunicationsWeek, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at The College of William & Mary. Follow her on Twitter @kjhiggins.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights