The Federal Bureau of Investigation has released a blanket warning to owners of small business and household networking equipment that Russian-linked malware has been found infecting router devices. A router directs traffic on the internet by forwarding data packets between computer networks. Hundreds of thousands of routers from a range of manufacturers have been found to be infected by the malware.
An analysis by Cisco’s threat intelligence division, Talos, has linked the malware to the hacking group Fancy Bear. That group, also known as A.P.T. 28 and the Sofacy Group, is believed to be directed by Russia’s military intelligence agency. Fancy Bear is believed to be the entity responsible for hacking the Democratic National Committee ahead of the 2016 presidential election, according to information released by American and European intelligence agencies.
The F.B.I. and cybersecurity researchers are calling the malware VPNFilter. The analysis by Talos estimated that at least 500,000 routers in at least 54 countries had been infected by the malware. Small office and home office routers from manufacturers Linksys, MikroTik, Netgear, and TP-Link were among the networking equipment found to be affected.
The analysis by Talos noted significant similarities between the computer code for VPNFilter and that of another type of malware called BlackEnergy. Versions of BlackEnergy were found to be responsible for multiple large-scale attacks that targeted devices in Ukraine. The announcement from the F.B.I. did not provide any details about where the criminals might be based and their motivations remain unknown.
VPNFilter is a dangerous piece of malware. The malware is capable of blocking web traffic, collecting information that passes through home and office routers and disabling the devices entirely. In Talos’s assessment, it said, “The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”
The F.B.I. has made an urgent request for anybody with one of the potentially affected devices to reset their router. Rebooting the device will temporarily disrupt the malware if it is present. The web domain toknowall.com, which was a critical part of the malware’s “command-and-control infrastructure”, is now under F.B.I. control. Any attempts by the malware to reinfect a compromised router will be bounced to an F.B.I. server that can record the I.P. address of the affected device.