Destructive 'VPNFilter' Attack Network Uncovered

More than 500K home/SOHO routers and storage devices worldwide commandeered in potential nation-state attack weapon - with Ukraine in initial bullseye.

Dark Reading logo in a gray background | Dark Reading

A newly unearthed novel and destructive cyberattack infrastructure made up of more than a half-million home and small office routers and network-attached storage devices worldwide has security and equipment vendors, Internet service providers, government officials, and law enforcement scrambling to help clean and patch the infected devices before they're weaponized in an attack.

But given the nature of these typically insecure IoT consumer devices sitting exposed on the public Internet, cleanup and protection won't be simple or even realistic in some cases. 

The so-called VPNFilter is a stealthy and modular attack platform that includes three stages of malware. The first establishes a foothold in the device and unlike previous Internet of Things botnet infections can't be killed with a reboot; the second handles cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

VPNFilter can be used to both spy on and aggressively attack a target nation's network infrastructure, according to researchers at Cisco Talos, who first found the threat. The initial target appears to be Ukraine, where the majority of the infected IoT devices reside, and where the attackers have constructed a subnetwork aimed at that nation, complete with its own command and control server recently placed there.

The malware also includes "an exact copy" of Black Energy, according to Craig Williams, senior threat researcher and global outreach manager for Cisco Talos. Black Energy was used in the game-changer attacks that ultimately shut out the lights in western Ukraine in 2015, thought to be the handiwork of Russia.

So far, the infected devices that make up the backbone of VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices.

Cisco stopped short of naming Russian state-sponsored hackers as the attackers behind VPNFilter, but also didn't rule it out, especially with the BlackEnergy connection and Ukraine-specific attack network. "The code overlap we saw was an exact copy, including even an error," Williams says. "It certainly could be a false flag [pointing to Russia]. But when you combine that [malware] with other factors, such as it appears to be specifically targeting Ukraine, with destructive malware and appears to be preparing for an attack on Constitution Day [June 28] … With all those facts we have high confidence they are not acting in Ukraine's interests."

Meanwhile, Ukraine's state security service, SBU, called out Russia as the perpetrator of the threat and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday. "Security Service experts believe that the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation, aimed at destabilizing the situation during the Champions League final," the SBU said in a statement reported in Reuters.

'Attribution-less' Network

Cisco's Williams describes VPNFilter as "almost like a VPN tunnel designed to be used by the attacker for separate attacks."

VPNFilter allows the attacker to remain anonymous because it uses infected home and SOHO devices as its weapons, and the victims act as unknowing participants. "It's basically a modular, attribution-less network to attack other networks without any blame being cast on them [the attackers]," Williams says. "This is what a nation-state uses to attack another nation-state and not get blamed."

While Ukraine appears to be an initial target, VPNFilter has victim devices in 54 countries, including the US, and can be used to attack any nation, he says. The built-in self-destruction module also wipes the firmware of the devices, rendering them inoperable for the users: that could both knock users and companies offline.

Cisco in early May first noticed infected devices scanning ports 23, 80, 2000, and 8080, ports typically associated with Mitrotik and QNAP NAS systems, across more than 100 countries. But things escalated on May 8, when VPNFilter infections jumped dramatically – mainly in Ukraine, and then again on May 17. That led to Cisco going public with its findings even before it had full understanding of the infections and the vulnerabilities exploited.

The company has been working with the affected vendors and fellow members of the Cyber Threat Alliance to alert customers and lock down devices, and has been blacklisting domains associated with the attacker infrastructure for its customers.

"The attackers could turn loose another NotPetya … DDoS, literally anything. They are only limited by their own creativity," Williams says.

What to Do

Users of the infected devices should reboot them as soon as possible, which will kill off the stage 2 and 3 malware. That's a temporary fix, however, since the persistent first-stage malware isn't removable with a reboot and the attackers could come back and reinstall the stage 2 and 3 malware again. The devices also should be updated with the latest patches and default credentials should be changed to new strong credentials, according to Symantec

Updates from the various equipment vendors are rolling in. Netgear said in addition to firmware updates and password resets for its routers, users should turn off remote management in its devices.

"Hopefully, we caught it in time," Williams says of the VPNFilter campaign. Ensuring the actual patching and securing the infected IoT devices mostly will fall on the ISPs, small businesses, or even large businesses who have these devices installed, he says.

Cisco is urging ISPs to "work aggressively" with customers to get the device patched and up-to-date, and to assist users in rebooting their routers.

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, recommends all home routers and NAS devices be rebooted just in case. "Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time," he says. 

That doesn't mean VPNFilter is randomly scanning each and every vulnerable device like Mirai did, however, according to Symantec. Symantec thus far has not seen indiscriminate scanning via its honeypot and sensor data. 

Security experts meanwhile have been warning that Russia and other nation-states could ratchet up more aggressive cyberattacks against the US, likely posing as other nations and attack groups for plausible deniability. Russia has been honing its skills on that front for the past year or so, with its destructive NotPetya attack campaign targeting Ukraine, its election-meddling operation during the 2016 US presidential election, and most recently, the false flag operation in its hack of the Winter Olympics systems.

"This is an alarming variant of malware, as it can destroy infrastructure and take western allies back to the Stone Ages," says Tom Kellermann, chief cybersecurity officer with Carbon Black. "This will spread to NATO members' [countries] this week, and I feel that Putin has taken his gloves off." 

Cisco's Williams echoes the sentiment that VPNFilter is another level of nation-state threat. "This is not an everyday threat," he says. "It took a lot of time and effort to design, with the purpose of coordinated attacks around the globe."

The fact that so many IoT devices with known vulnerabilties and weak security (default passwords, etc.) were harnassed into such an attack weapon shouldn't be shocking, though, notes Adam Meyers, CrowdStrike. The question is "what took so long?" he says. "The fact that these devices were targeted is not news."

There have been warnings for years now about how these devices could be used as more lethal attack weapons. "We should not be surprised."

Related Content:

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights