Researchers are still using lessons from VPNFilter to track threats one year later

The lessons learned from that takedown of the 500,000-router botnet are still reverberating today in the cybersecurity community.
MoFi Networks
The research points to a longstanding yet unresolved issue: how to incentivize security among vendors who sell routers in a market that prizes affordability and convenience. (Getty)

It’s a been a year since private security researchers worked with the FBI to dismantle a 500,000-router-strong botnet that loomed over Ukraine.

Lessons learned in that takedown of the “VPNFilter” botnet are still reverberating today in the cybersecurity community, informing defenders about other sets of malicious activity, said Martin Lee, a manager at Cisco Talos, the threat intelligence team that helped uncover the botnet.

Lee pointed to the so-called Sea Turtle domain name system hijacking campaign, which Talos detailed last month. Like VPNFilter, the Sea Turtle activity was an example of a state-sponsored attacker abusing internet infrastructure at scale to steal credentials. Data gathered from the VPNFilter investigation, combined with the lesson that state-sponsored actors are wiling to subvert core internet infrastructure, has driven home the fact that attackers can exploit critical devices at scale in a way that few people had fully appreciated.

“Essentially, [the Sea Turtle perpetrator] is a threat actor trying to do the same kind of activity [as VPNFilter] – conduct man-in-the middle attacks, siphon off user names and passwords – but through a different technique,” said Lee, who is manager for Europe, the Middle East and North Africa, and Asia at Talos’ Outreach division.


The VPNFilter malware was modular, meaning different pieces of code could be plugged in to give its operators different functionality, and the botnet had the ability to render inoperable a half-million routers. But because researchers coordinated closely with law enforcement, the botnet was disarmed before it could do any damage. In taking it down in May 2018, the FBI attributed VPNFilter to APT28, the infamous Russian government-linked hacking group, in what was a milesteone in the short history of public-private cooperation to thwart advanced hacking threats.

“This was a wake-up call that alerted the cybersecurity community to a new kind of state sponsored threat – a vast network of compromised devices across the globe which can siphon away secrets, hide the origins of attacks, and coordinate the shutdown of networks,” Lee and his colleague Benny Ketelslegers wrote in a blog post to be published Thursday.

The blog describes the two-and-half-year journey of the domain used by APT28 to distribute the VPNFilter malware, and the suspicious behavior of a router that was a clue to authorities nine months before the botnet was disrupted.

Asked if, at the time, he had any concerns about what whether parts of the VPNFilter threat would linger on after authorities seized the domain, Lee said “there always is [that concern] because you can never be certain” what an adversary will do next. While the domain seizure effectively killed off the botnet, “what you never know is [if] that going to provoke a response, or [if] there is other activity that actually you haven’t seen which is going to be enabled,” Lee added.

Although there didn’t appear to be follow-on activity from that episode, APT28 has remained active in other areas over the last year – targeting European think tanks, for example, in the fall.


Awareness boosts defenses

A year later, Lee said he believes the awareness VPNFilter raised about unpatched network devices has made vendors and users more cognizant of that type of large-scale threat.

Lee spoke of the cat-and-mouse game between attackers and defenders in which both learn from past incidents. He was optimistic that network defenders had learned enough from VPNFilter to make them better prepared today for a similar threat.

“People cannot protect themselves against threats which they’re unaware of,” Lee told CyberScoop. “So for us, getting that information out there is so, so important.”

The nonprofit Cyber Threat Alliance, through which Talos shared threat data on VPNFilter with other companies, has built on that success to warn of multiple threats in the last year.


“It’s always going to be a balance between who is learning most from these incidents,” Lee said. “I think we can only gain by talking about them and actually raising the awareness that these type of things happen, that network infrastructure is a target of the bad guys.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts