Russian hackers have infected more than half a million routers across 54 countries with sophisticated malware that contains a killswitch to instantly cut internet access to users, security researchers have revealed.
The VPNFilter malware also allows attackers to monitor the web activity of anyone using the routers, including the their passwords, potentially opening up the possibility of further hacks.
“Both the scale and capability of this operation are concerning,” William Largent, a researcher at the cybersecurity firm Talos, said in a blogpost describing the vulnerability.
“The destructive capability particularly concerns us. This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware.”
The malware has been attributed to a group of Russian hackers, who are variously known as Sofacy Group, Fancy Bear and Apt28. The group has been in operation since the mid-2000s and has previously been blamed for attacks ranging from the Ukrainian military to the 2017 French elections.
Security researchers tell The Independent that the discovery of the malware highlights a broader issue of how vulnerable internet-connected infrastructure is to cyber attacks.
“No longer can we afford to keep our critical infrastructure connected to, and therefore directly accessible to, the internet,” said Eric Trexler, vice president of global governments and critical infrastructure at cybersecurity firm Forcepoint.
“VPNFilter proves that time tested military techniques such as network segregation not only makes sense, but is required if we expect industrial services to remain resilient in the face of sophisticated and persistent attacks.”
Routers found to be vulnerable to the VPNFilter malware include Linksys, MikroTik, Netgear and TP-Link, all of which are often used in homes or small offices. The researchers say they have not yet completed their research but they are making it public now to draw attention to it.
“Defending against this threat is extremely difficult due to the nature of the affected devices,” Mr Largent said.
“The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.”
The FBI responded to the revelations by granting court permission to seize a web domain believed to be in control of the Russian hackers.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement on Wednesday.
FBI Special Agent Bob Johnson added: “Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updates and to change default passwords.