FBI Battles Russian Botnet

News  |  May 25, 2018

The Daily Beast first reported Wednesday the FBI used a court order to seize "control of a key server in the Kremlin’s global botnet of 500,000 hacked routers." This move allows the FBI to compile a list of victims and stop the hackers from getting back into the breached systems. 

The FBI counter-operation goes after  “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.

VPN Filter attacks home office routers and can get access to a victim's website login credentials, disable devices at will, and attack the type of industrial protocol used in electric grids. 

The FBI has been investigating the botnet since at least August, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware. “She voluntarily relinquished her router to the agents,” wrote FBI agent Michael McKeown ...

(...)

That allowed the bureau to identify a key weakness in the malware. If a victim reboots an infected router, the malicious plugins all disappear, and only the core malware code survives. That code is programmed to connect over the Internet to a command-and-control infrastructure set up by the hackers.

The FBI was able to identify the backup source and got a federal judge to help them legally take over the domain. 

In other words, average consumers have the ability to stop Russia’s latest cyber attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.

“One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,” said Thakur. “Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”

The court order only lets the FBI monitor metadata like the victim’s IP address, not content.

BuzzFeed News:

But while the domain seizure announced Wednesday has slowed the growth of the VPNFilter botnet, it is far from over. Most users are far more likely to update their phones or computers than their home router, and many common routers are rife with known vulnerabilities. The Justice Department recommended that anyone with a potentially affected router reboot it immediately, though officials noted that it is possible the routers could be reinfected.

“Patching routers is hard,” the person familiar with the takedown operation said. “Most individuals and small businesses will do better to just go and buy another router.”

Washington Post

The FBI and the Department of Homeland Security have notified trusted internet service providers of the malware, according to the DOJ. 

Exclusive: FBI Seizes Control of Russian Botnet (Daily Beast)

The FBI Has Launched An Operation To Take Down A Massive Russian Botnet (BuzzFeed News)

The Cybersecurity 202: The FBI is trying to thwart a massive Russia-linked hacking campaign (The Washington Post)