In May 2018, Cisco Talos issued a public advisory on their blog regarding a widespread, global infection with a modular malware system referred to as “VPNfilter.” The latter was and still is capable of collecting sensitive internet traffic from infected, consumer-grade routers, but is also adept in much more advanced tasks.

Router models vulnerable to this hacking attempt belong to some of the most successful manufacturers, including Asus, Netgear, TP-Link, Linksys, Mikrotik, Huawei, ZTE, D-Link, and several others. In addition, the malware was also found capable of wiping out the router’s firmware, its in-built software, thereby rendering it useless.

No firm leads, but a lot of evidence

Judging from their investigations, Cisco researchers deemed that the purpose of is to create an immense, hard-to-attribute intelligence infrastructure that can serve a variety of needs for the threat actor. FBI’s report concluded that the people behind this infection belong to a Russian state-sponsored hacking group called Sofacy, also known as STRONTIUM, Fancy Bear, and APT28. Given the scale and complexity of the VPNfilter malware threat, we believe it necessary to understand how it works, what damage it can cause, and what you can do to protect yourself against it.

At the time of the announcement, Cisco was working both with private and public intelligence agencies in order to assess the source, gravity, and technical breakdown of the threat. The American technology company estimated over 500,000 infections throughout 54 countries. What prompted the public announcement in the first place, which is a great standalone risk, was a severe increase in VPNfilter activity, as well as two large-scale assaults. Talos security experts argued that the severity of the attacks mandated the public be aware of what is going on before the investigation could be concluded.

More importantly, these cyber assaults were issued with a command and control (C2) infrastructure particularly aimed at targeting the Ukrainian region, which was the site of at least two immense attacks. The scale and capability of this operation were far beyond what could be achieved by independent hacker initiatives. The fact that components of the VPNfilter malware could steal website credentials, monitor popular communication protocols, such as Modbus SCADA, as well as render devices unusable only made things worse.

Giving one organization the potential to render internet connections unusable for hundreds of thousands of individuals or, as it was the case in 2018, for entire regions is worrisome enough without the addition of seeing and knowing everything their victims do online. The intelligence-gathering and manipulating potential is prodigious.

A silently growing threat

The reason why some router brands are exposed to VPNfilter’s attacks while others are not is a combination of the software’s inner-workings and the actors behind it. The group’s MO is to target remote access points, routers that are not safeguarded by an intrusion protection system (IPS), nor by an anti-virus (AV) package on their host. Talos have claimed that they were unaware of the specific exploit used by the malware to infect the router, but that the targeted devices were known to have public exploits or firmware credentials which expose them to straightforward compromise.

To Talos’ knowledge, the VPNfilter malware threat had been silently expanding since 2016, and at the time of publishing their report, it was growing at an alarming rate. The main spreading technique for the malware was from one small and home office router to another, as well as through QNAP NAS devices. Simply rebooting the router did not help, but a reboot followed by factory-resetting the firmware was shown to prevent certain functionalities of the malware.

However, given time, VPNfilter’s modules were also restarted, which is why it remains imperative that you check your manufacturer’s website for updates and patches in order to remove the problem completely.

Breakdown of how it works

The malware was designed precisely with a mind to avoid complete deletion. It is a multi-stage, modular platform through which both intelligence collection and cyber-attack operations are carried out. Most of the programs that belong to this class of malicious software do not have the necessary technology and tools to persist through the reboot process. VPNfilter’s stage 1 of infection does, however. The purpose of this first phase of the program is to gain an enduring foothold on the infected device and enable the deployment of the stage 2 module.

At this point, stage 1 has multiple command and control (C2) features that help it identify the IP address of the current server facilitating the deployment of stage 2. In May 2018, the server was primarily communicating with infected routers by means of a domain located at toknowall.com, which was also seized by the FBI. If the domain was inaccessible, the router was instructed to open a port and wait for the controlling organization to facilitate direct connection to them.

Stage 2, which is completely disrupted by the reboot function, works in a manner that is similar to intelligence-collection platforms. Its purpose is to execute commands, collect files, manage the device itself, as well as extract sensitive data. Some versions of the VPNfilter malware also have a self-destruct function embedded in the second stage, whereby most of the router’s firmware is overwritten and then rebooted, which successfully bricks the gadget.

Lastly, stage 3 has multiple modules that can be operated in the like manner of plugins by the stage 2 functions, enhancing the software’s functionality. One of these successfully facilitated the theft of website credentials by means of a packet sniffer, alongside monitoring Modbus SCADA communication protocols, while another plugin permitted VPNfilter to communicate over Tor. The Talos group was confident that more of these add-ons existed, but they could not determine their functionality at the time of writing their report.

Security measures

Although expansive, highly versatile, and enduring in nature, there are several measures that can disrupt and even completely wipe the VPNfilter malware. Encrypting the routers, disabling remote management functions, while also securing them with strong passwords were shown to be quite effective. As of June 2018, the Symantec Corporation expanded the list of router manufacturers provided by Talos and showed that the program was initially thought to be less pervasive. The organization also devised a free VPNfilter check tool that you can readily use.

However, because you can never control routers that you don’t own, the VPNfilter software continues to be a problem.

How a secure VPN service can help against VPNfilter

To avoid being infected by remaining instances of the malware, the best thing you can do is encrypt your internet traffic with a VPN tool.

For those who install the router version of a VPN service – for instance, the router software of services such as TorGuard, ExpressVPN or NordVPN – or use custom-firmware devices such as those offered by FlashRouter, there’s nothing to worry about.

Recommended read:

Best VPN services