On May 23, 2018, researchers at Cisco Talos published a report detailing their discovery of a giant botnet of hacked routers that appears to be preparing for a cyber-attack on Ukraine. Researchers say that the botnet has been created by infecting home routers with a new malware strain named VPNFilter. It is widely believed within the InfoSec community and other nation states that Russia, in particular, the nation-state group APT28, are behind the botnet and malware creation. This has been done to target Ukraine according to experts.
According to Cisco, this new malware variant is incredibly complex, especially when compared with other IoT botnets. VPNFilter comes with support for boot persistence, only the second IoT malware to do so seen in the wild to do so, scanning for SCADA components, and a firmware wiper function to incapacitate affected devices. SCADA, or otherwise known as supervisory control and data acquisition, are commonly seen as control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management. All this is combined to assist in the management of industrial machinery and factory processes. Searching for and targeting such components has become a favorite of nation-state groups.
This in itself would not necessarily link Russian nation-state hacking groups to VPNFilter. That being said Cisco believes that there is a code overlap with BlackEnergy, a malware strain that has been used to cripple Ukraine's power grid in the winter of 2015 and 2016. Several countries including the US believe Russia was responsible for the BlackEnergy attacks.
The US Department of Homeland Security went as far as to issue an analysis report blaming Russia for the attacks. With all the combined evidence researchers believe that Ukraine is once again the target. An attack may coincide with the UEFA Champions League Final happening in Kiev on May 26. Ukrainian authorities issued a warning confirming the experts' fears. Another possible target for the attack may be Ukraine’s Constitutional Day which falls on June 27.
The Botnet of over 500,000 Hacked Routers
Cybersecurity firm Symantec also issued a report confirming much of what was covered in Cisco’s report. The Symantec report contains a list of affected routers. The list includes:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
VPNFilter does not exploit any new or unknown Zero Day vulnerabilities but, rather, relies on older ones which are now public knowledge. It is believed that the botnet may have been created as far back as 2016, but researchers say botnet started an intense scanning activity in recent months, growing to a huge size. So much so that infected devices have been seen in as many as 54 countries. While the botnet’s recent expansion has been aggressive, many of the newer devices which have been hacked are based in Ukraine. This further leads to evidence pointing towards Ukraine been the target and Russia the attacker. The group has gone so far as to create a dedicated command-and-control server to manage these Ukrainian bots.
Based on both Cisco’s and Symantec’s analysis it would seem like the alarm has been justifiably sounded. As was stated previously VPNFilter is one of the most complexes IoT malware strains developed. The malware has three distinct stages. The first stage can be considered the simplest and consists solely of components designed to infect the device and obtain boot persistence. The second stage’s main role is to support a plugin architecture for the third stage plugins. Cisco confirms these plugins are responsible for:
- Sniffing network packets and intercepting traffic
- Monitoring for the presence of Modbus SCADA protocols
- Communicating with C&C servers via the Tor network
The third stage of the malware consists of executing the above plugins and communicating with the command and control server. Of all the stages, the second stage is deemed to be most dangerous as it contains a self-destruct function that overwrites a critical portion of the device's firmware and reboots the device. This renders any device unusable, as the code needed to start the device has been replaced with jumbled data. Pieces of malware which do this are referred to as wipers and are becoming increasingly popular amongst malware authors looking to prevent authorities and security researchers from conclusively proving who carries out such attacks.
The threat has been deemed so serious that the Federal Bureau of Investigation (FBI) obtained a court order to take control over the domain toknowall.com, the URL where VPNFilter bots would connect to get their commands and additional modules. The order was granted to the FBI based on an affidavit submitted by the intelligence body. In the affidavit the FBI that they too believe that the botnet has been created and is under the control of a famous Russian cyber-espionage unit known under different names, such as APT28, Sednit, Fancy Bear, Pawn Storm, Sofacy, Grizzly Steppe, STRONTIUM, Tsar Team, and others. Fortunately due to the FBI been successful in its bid to take over the domain name used by the group the potential for further damage has been mitigated. The FBI is now asking the general public who have been hacked to reset their routers and other IoT devices which may be affected. This will have no active effect on preventing further infections, however, it will enable the FBI a full insight into the botnet's real size. This is because as soon as the device is reset it will attempt to connect to the command and control server and can then be traced. The knowledge generated from this will help the FBI to create a list of vulnerable devices and notify ISPs, private and public sector partners that can deal with the infected devices.