FBI Would Like Your Help, With Your Router

The Department of Justice would like a word about your router. In fact, according to an FBI Public Service Announcement, they would like all of you to reboot your small office and home office routers.

The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”). The group, which has been operating since at least in or about 2007, targets government, military, security organizations, and other targets of perceived intelligence value.
Assistant Attorney General for National Security John C. Demers, U.S. Attorney Scott W. Brady for the Western District of Pennsylvania, Assistant Director Scott Smith for the FBI’s Cyber Division, FBI Special Agent in Charge Robert Johnson of the Pittsburgh Division and FBI Special Agent in Charge David J. LeValley of the Atlanta Division made the announcement.

“The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that,” said Assistant Attorney General Demers. “This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”

“The United States Attorney’s Office will continue to aggressively fight against threats to our national security by criminals, no matter who they work for” said U.S. Attorney Brady. “This court-ordered seizure will assist in the identification of victim devices and disrupts the ability of these hackers to steal personal and other sensitive information and carry out disruptive cyber attacks. We will be relentless in protecting the people of Western Pennsylvania – from international corporations to local businesses to the elderly – from these threats.”

“Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

“The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely,” said FBI Special Agent in Charge Bob Johnson. “These hackers are exploiting vulnerabilities and putting every American’s privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords.”

“This action by the FBI, DOJ, and our partners should send a clear message to our adversaries that the U.S. Government will take action to mitigate the threats posed by them and to protect our citizens and our allies even when the possibility of arrest and prosecution may not be readily available,” said FBI Special Agent in Charge David J. LeValley. “As our adversaries’ technical capabilities evolve, the FBI and its partners will continue to rise to the challenge, placing themselves between the adversaries and their intended victims.”

The botnet, referred to by the FBI and cyber security researchers as “VPNFilter,” targets SOHO routers and network-access storage (NAS) devices, which are hardware devices made up of several hard drives used to store data in a single location that can be accessed by multiple users. The VPNFilter botnet uses several stages of malware. Although the second stage of malware, which has the malicious capabilities described above, can be cleared from a device by rebooting it, the first stage of malware persists through a reboot, making it difficult to prevent reinfection by the second stage.

CNET:

How would pressing a button on your router help, though? According to the FBI, rebooting your router will destroy the part of the malware that can do nasty things like spy on your activities, while leaving the install package intact. And when that install package phones home to download the nasty part, the FBI will be able to trace that — because the US government says it’s seized a critical domain that the Russian hackers were allegedly using.

The FBI confirmed to CNET that yes, it’s asking every owner of a consumer or small business router to do this. Why not just the infected ones? Because it’s not yet clear how far the infection has spread.
Note that it sounds like you might be taking a bit of a risk by simply rebooting your router, instead of a factory reset that could destroy the malware for good:

“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure,” the FBI writes.

Either way, you might want to consider updating your router’s firmware.

What say you? Login and Comment.