US and Russian intelligence agencies are currently battling for control of a botnet of more than half a million hacked home and office network routers.
On Wednesday morning, Cisco’s cybersecurity research arm announced that at least 500,000 routers — spread across 54 countries, though the vast majority are in Ukraine — had been infected with malicious software by the GRU, Russia’s military intelligence agency best known for hacking the Democratic National Committee and the Olympic World Anti-Doping Association in 2016.
Dubbed VPNFilter, the program is sophisticated and gives whoever controls the botnet a number of abilities over compromised routers. That includes the capability to monitor internet traffic that comes through the router, to send that information back to the Russian government via the Tor network, and to render the router itself unusable if necessary.
But sometime before 9 a.m. Wednesday, the FBI took a major step to disrupt the botnet by getting a warrant to seize the domain the VPNFilter-affected devices would reach out to, thereby halting the process by which an infected router gets new instructions, according to a source familiar with the operation. The Department of Justice announced the operation Wednesday night.
Though it’s unclear exactly what Russia planned to do with the botnet, it’s likely it would be used to disrupt life in Ukraine, according to the person familiar with the FBI’s operation. Russia has historically hit Ukraine with cyberattacks before trying to use those attacks elsewhere, and tends to deploy them around significant dates.
One possibility is that the botnet was timed to coincide with the upcoming first anniversary of NotPetya, Russia’s best-known malware, which ravaged pirated and unpatched Windows computers around the world.
Originally deployed in Ukraine in June 2017, NotPetya was so disruptive to the world economy that the US and its four closest intelligence partners — Australia, Canada, New Zealand, and the UK — issued an unprecedented joint announcement condemning Russia for its recklessness. The US Treasury Department cited the attack as one reason behind the sanctions against Russian security agencies this March.
But while the domain seizure announced Wednesday has slowed the growth of the VPNFilter botnet, it is far from over. Most users are far more likely to update their phones or computers than their home router, and many common routers are rife with known vulnerabilities. The Justice Department recommended that anyone with a potentially affected router reboot it immediately, though officials noted that it is possible the routers could be reinfected.
“Patching routers is hard,” the person familiar with the takedown operation said. “Most individuals and small businesses will do better to just go and buy another router.”