The FBI said Friday that Russian hackers had infiltrated and infected hundreds of thousands of routers in more than 50 countries, according to a Reuters report. The agency advised owners of several types of routers to reboot them, and to download updates from their manufacturer, to prevent the collection of user information or interference with internet traffic.
The warning came after the agency received a court order on Wednesday to seize a web domain that formed part of the “command-and-control infrastructure for malware,” and that the hackers had planned to use to communicate with the infected routers. While this severed the connection to the routers, and while any attempts to reinfect routers will now be recorded by the agency, they remain infected without further action from users.
According to a Justice Department statement by the US attorney for the Western District of Pennsylvania, Scott W. Brady:
“This court-ordered seizure will assist in the identification of victim devices and disrupts the ability of these hackers to steal personal and other sensitive information and carry out disruptive cyberattacks.”
In its effort to obtain the court order, the Justice Department said that the hackers were part of a group called Sofacy, also known as Fancy Bear and APT28, which is directly linked to the Russian government, and was connected to high-profile breaches such as the Democratic National Committee hack during the 2016 presidential campaign.
Cybersecurity researchers are calling the malware VPNFilter. According to the Cisco Systems threat intelligence agency Talos, devices from Linksys, MikroTik, Netgear Inc, TP-Link, and QNAP were all targeted by the hackers.
According to the assessment from Talos:
“The malware has a destructive capability that can render an infected device unusable…which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”
Though the FBI said that the infections were detected on devices users had bought from stores or online, they warned that it was possible that routers obtained directly from internet providers could also have been infiltrated.
“The size and scope of the infrastructure by VPNFilter malware is significant,” according to the agency. They noted that the malware could potentially leave routers “inoperable,” and was challenging to detect, thanks to encryption.
They said users should restart their routers to interfere with malware, upgrade to the latest firmware from the manufacturer, change passwords, and disable remote-management settings.