What is believed to be a nation-state sponsored hacking group has managed to infect around half a million routers with VPNFilter malware.

VPNFilter is a modular malware that can carry out various functions, including the reviewing all communications, beginning attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been placed. While the majority of IoT malware infections – including those used to create large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive a reset like this.

The malware can be downloaded on the type of routers often used by small companies and consumers such as those produced by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security experts at Cisco Talos who have been monitoring infections over the last while.

The ultimate target of the hackers is unknown, although the infected devices could potentially be used for a wide variety of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as happened with BlackEnergy malware.

Since it is possible for the malware to turn off Internet access, the threat actors to blame for the campaign could easily stop large numbers of individuals in a targeted region from going online.

While the malware has been placed on routers around the world – infections have been seen in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased greatly in recent weeks.

While the investigation into the campaign is still current, the decision was taken to go public due to a huge increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more major threat.

While the security expert researchers have not blamed Russia directly, they have found parts of the code which are identical to that used in BlackEnergy malware, which was implemented in many attacks in Ukraine. BlackEnergy has been linked to Russia by some security experts. BlackEnergy malware has been deployed by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not solid proof of any link to Russia.

The FBI has gone an additional step by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the complex nature of the malware means it is the work of a particularly advanced hacking group.

Most of the infiltrated routers are aging devices that have not received firmware updates to address known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely obvious how devices are being infected although the exploitation of known flaws is most probable, rather than the use of zero-day exploits; however, the latter has not been eliminated.

There had been Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain in use by the malware to send information to the threat group behind the campaign. Without that domain, the hackers cannot manage the infected routers and neither identify new devices that have been infected.

Making sure a router is updated and has the most recent version of firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Sadly, it is not easy to tell if a vulnerable router has been infected. Carrying out a factory reset of a vulnerable router is strongly recommended as a precautionary measure.

Resetting the device will not remove he malware, but it will succeed in removing some of the additional code installed on the device. However, those additional malware components could be installed again when contact is re-established with the device.