Russian-linked VPNFilter malware is even worse than originally thought, new research suggests

A malware framework that's already infected hundreds of thousands of routers across the globe — particularly in Ukraine — appears to be even more dangerous than originally thought, according to new findings by Cisco Talos.

A malware framework that’s already infected hundreds of thousands of routers across the globe appears to be even more dangerous than originally thought, according to new findings by Cisco’s internal cybersecurity unit Talos.

The latest results show that the malware, “VPNFilter,” affects a wider array of devices, including more than 11 different hardware vendors, and carries several previously unknown infection capabilities, such as the potential to manipulate internet traffic on the end device in novel ways. The Talos researchers revealed the additional analysis Wednesday after having first publicly documented the botnet last week.

A significant percentage of the devices infected through VPNFilter are based in Ukraine, leading domestic security services to claim that the malware symbolized a national security threat.

Broadly speaking, VPNFilter works by traversing the web and automatically targeting unpatched routers and servers that carry outdated software.  The term “botnet” is used to describe an army of zombie computers that are maliciously controlled by an attacker.


Current U.S. officials and other experts have linked VPNFilter to a hacking group known as APT28, also called “Fancy Bear.” This entity is widely associated with Russia’s Main Intelligence Directorate (GRU) and has been blamed for breaching the Democratic National Committee in 2016.

Court documents suggested last week that Russia had been involved in VPNFilter. The FBI has called on the public to restart home routers in order to wipe the virus after agents seized a staging server that was controlling a component of the botnet built via VPNFilter.

The case has proved to be an important example of the private sector working closely alongside law enforcement.

Simply put, VPNFilter is dangerous because it offers the attacker the ability to both destroy data, rendering the device unusable, and covertly spy on specific targets. With Wednesday’s findings, perhaps the most unsettling new capability discovered by Talos is that VPNFilter can also execute a man-in-the-middle attack on incoming Web traffic that passes through infected routers; giving APT28 an avenue to inject malware into legitimate web applications.

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars Technica reporter Dan Goodin. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”


Even with the FBI’s efforts and affected organizations pushing out information about VPNFilter to partners, the botnet appears to remain consistently large. On Friday, media reports suggested that the botnet had taken a hit after the FBI router reset instruction but that it was already quickly recovering.

In a statement sent to CyberScoop, Williams said that fluctuations in the size of the VPNFilter botnet should be expected since more people now know what makes these devices vulnerable.

“Once the details of a vulnerable or exploited device is made public, you should expect that a variety of honest and nefarious actors – from college students to threat researchers to real adversaries – to start popping up their own systems and scanning for the impacted devices,” said Williams. “Therefore once an attack like this is disclosed, you should never trust conclusions based on telemetry data – its flawed because there is no way of deciphering between good and bad actors. Any statements at this time, regarding new attacks, should be met with extreme skepticism.”

He added, “I’d compare this to a rush on water after a flood is announced. Now everyone is aware of hundreds of thousands of free machines for the taking. Bad guys, good guys, and those in between are going to try and get what they can from them.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts