FBI warns about Russia-linked malware threat to home routers, but questions linger

More than half a million devices have already been compromised — with more likely to be targeted over the next few weeks.
by Alyssa Newcomb /  / Updated 

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

As millions of Americans unplugged for Memorial Day Weekend, the FBI issued an urgent bulletin for anyone with a home or small office internet router to immediately turn it off and then turn it on again as a way to temporarily thwart the spread of foreign malware linked to Russia.

The malware, called VPNFilter, targets small home and office routers. Once a router is infected, the hackers would potentially be able to use the device as a jumping-off point to launch further attacks. The cybercriminals could also collect personal information, block network traffic — or just turn your router into an expensive brick.

“More than half a million routers have been identified already as being compromised, so I think there are a significant number of devices that have been affected and it is difficult to estimate how many devices could be affected in the coming days or week,” Shuman Ghosemajumder, chief technology officer at Shape Security told NBC News.

The 500,000 affected devices Ghosemajumder mentioned come from an analysis performed by Talos, the security arm of Cisco. The company also found the attack present in at least 54 countries.

Devices manufactured by Linksys, MikroTik, Netgear and TP-Link were among those found to have been affected, according to the Talos report. While the initial point of infection is unknown for VPNFilter, it has been quietly spreading since at least 2016, according to researchers.

Many of the infected devices have known public exploits and use default credentials, meaning that customers who set up their home router out of the box and never changed the password or updated the firmware could be at a higher risk.

“If you have an older router, the odds are greater it may have shipped with a standard password which is the same across all types of the device. Change the router password, make sure the firmware is update and in some cases, even replace the router,” Ghosemajumder said.

But here’s the catch: There’s no easy way to know if a device has been infected.

The Department of Justice — which has already linked the malware to a hacking group going by various names, including the Sofacy Group, apt28, fancy bear, and sandworm — last week announced the seizure of a domain name used as a central part of VPNFilter’s “command-and-control infrastructure.”

The court-ordered seizure will allow authorities to begin to identify targeted devices while also disrupting “the ability of these hackers to steal personal and other sensitive information and carry out disruptive cyberattacks,” said Scott Brady, U.S. attorney for the Western District of Pennsylvania.

The threat is in the process of being disrupted, but people who own the vulnerable routers, or want to take some precautions, can also help minimize the spread of the malware, according to security experts who spoke with NBC News.

“Resetting will minimize some of the risk, because some portion of the attack may be deleted after rebooting,” Oren Aspir, chief technology officer at Cyberbit, told NBC News.

A quick power switch is a necessary step, experts said, but they warned that it is not a foolproof fix. Talos recommends resetting the router to factory settings, a process that can be started on most routers by finding a small button on the device — sometimes only accessible with a thin, sharp object — that can be used to hold down the button and reset the router to factory settings.

From there, users can go through the administrative process of setting up the router again and, most important, changing the factory default password.

Authorities and security researchers have both said there are many unknown questions when it comes to VPNFilter, including the intentions of the Russia-linked group believed to be perpetrating the attack.

While it can be a nuisance and a privacy threat to individuals, the scope of the malware could be used for a larger attack, said Guy Caspi, CEO and founder of security company Deep Instinct.

“If this is addressed broadly, it will cause the malware campaign to lose a lot of its access and reduce the broader risk on a macro level,” he said.

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
MORE FROM news