Published: Sun, May 27, 2018
Money | By Armando Alvarado

Russian hackers infect over 500,000 routers worldwide with malware

Russian hackers infect over 500,000 routers worldwide with malware

On May 8th, a "sharp spike" in infections was observed, with new infections appearing primarily in Ukraine, and most of the infected devices in that country having a unique stage 2 infrastructure compared to the rest of the world.

The Justice Department also advised anyone who owns SOHO or NAS products that may have been infected by VPNFilter to restart their devices.

According to the researchers, Russian hackers have used a sophisticated malware called "VPNFilter" to infect over 500,000 routers and network devices in at least 54 countries. "The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways".

The botnet has been slowly growing since at least 2016, the researchers say, and now consists of at least 500,000 infected devices in some 54 countries around the world. "The others might even send out letters to the home users urging them to restart their devices".

"The type of devices targeted by this actor are hard to defend".

An advanced malware attack, believed to be developed by a nation-state actor, has been discovered by Cisco's Talos Intelligence research division.

In all, 14 models of home routers made by Linksys, Mikrotik, Negear and Qnap were targeted by the malware. Known by several names, including PT28, Pawn Storm, Sandworm, Sednit and the Sofacy Group, the hackers are blamed for engineering attacks on the Organization for Security and Cooperation in Europe, the World Anti-Doping Agency, the US Democratic Party as well as several internet disruptions in Ukraine.

The Kremlin and St Basil's Cathedral in Moscow
Image The Kremlin has been accused of multiple acts of cyber aggression in recent years

The United States Justice Department shortly after announced seizing a domain used in the botnet campaign.

This multistage, modular platform malware persists through a reboot in its initial stage.

The US Department of Homeland Security has fingered Russian cyber-spies as the creators of the BlackEnergy malware and the perpetrators of the 2015 and 2016 Ukraine power grid attacks.

Ukraine issued an alert yesterday alleging Russian Federation was planning to use the infected routers to attack local internet users during this Saturday's Champions League final in Kiev. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

In the meantime, Cisco urged owners of infected devices and ISPs to reset to factory default and reboot them, as well as to update patches immediately. It's this stage that can also overwrite a critical portion of a device's firmware, rendering it unusable.

"By seizing a domain used by malicious cyber actors in their botnet campaign, the Federal Bureau of Investigation has taken a critical step in minimizing the impact of the malware attack", said Scott Smith, assistant director for the FBI's Cyber Division. "This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware", the researchers wrote.

Ukraine's cyberpolice said in a statement that it was possible the hackers planned to strike during "large-scale events", an apparent reference either to the upcoming Champions League game between Real Madrid and Liverpool in the capital, Kyiv, on Saturday or to Ukraine's upcoming Constitution Day celebrations.

Donald Trump pardons boxing great Jack Johnson
McCain has called on presidents to pardon Johnson since 2004, when he introduced a resolution calling on then-President George W. The pardon is long overdue in the eyes of many congressional leaders, members of the boxing community and Johnson's family.

Like this: