FBI Seizes Control Of Russian Botnet

FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers.  The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to re-infect its targets. 

The FBI counter-operation goes after  “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. 

Recently security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the UK and the United States. VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. 

One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.

The FBI has been investigating the botnet since at least August, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware. “She voluntarily relinquished her router to the agents,” wrote FBI agent Michael McKeown, in an affidavit filed in federal court. 

“In addition, the victim allowed the FBI to utilise a network tap on her home network that allowed the FBI to observe the network traffic leaving the home router.”

That allowed the bureau to identify a key weakness in the malware. If a victim reboots an infected router, the malicious plugins all disappear, and only the core malware code survives. That code is programmed to connect over the Internet to a command-and-control infrastructure set up by the hackers.  First it checks for particular images hosted on Photobucket.com that held hidden information in the metadata. If it can’t find those images, which have indeed been removed from Photobucket, it turns to an emergency backup control point at the hard-coded web address ToKnowAll.com.

Recently FBI agents in Pittsburgh asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh for an order directing the domain registration firm Verisign to hand the ToKnowAll[.]com address over to the FBI. This was used to “further the investigation, disrupt the ongoing criminal activity involving the establishment and use of the botnet, and assist in the remediation efforts,” according to court records. Lenihan agreed, and the bureau took control of the domain.

The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec, who confirmed that the domain was taken over by law enforcement, but didn’t name the FBI. 

“The payload itself is non-persistent and will not survive if the router is restarted,” Thakur added. “That payload will vanish.” 
In other words, average consumers have the ability to stop Russia’s latest cyber-attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. 

According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.

“One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,” said Thakur. 

“Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”

The court order only lets the FBI monitor metadata like the victim’s IP address, not content. As a technical matter, Thakur said there’s no danger of the malware sending the FBI a victim’s browser history or other sensitive data. 

“The threat capability is purely to ask for additional payloads,” he said. “There is no data that is leaked from these routers to the domain that is now controlled by an agency.”

Daily Beast

You Might Also Read:

Botnets Are Here To Stay:

Just Who Are Russia's Cyber Warriors?:

Interpol Located & Shut Down 9,000 Command Servers:
 

« GDPR - More People Will Share Data
Countering Electoral Interference »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

rPeople Staffing

rPeople Staffing

rPeople provides direct placement in all areas of your organization, including and specializing in Technical and Executive hiring.

Fornetix

Fornetix

Fornetix is a cybersecurity platform enabling Zero Trust while delivering critical encryption automation, access controls, authorization services, machine identity, and ICAM solutions,

CynergisTek

CynergisTek

CynergisTek is a top-ranked cybersecurity and information management consulting firm dedicated to serving the healthcare industry.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

vdiscovery

vdiscovery

vdiscovery is a provider of proprietary and best-in-breed solutions in computer forensics, document review, and electronic discovery.

Modulo Security

Modulo Security

Modulo provides automated Governance, Risk, and Compliance (GRC) solutions.

Arab Information & Communication Technologies Organization (AICTO)

Arab Information & Communication Technologies Organization (AICTO)

The Arab ICT Organization (AICTO) is an Arab governmental organization working under the aegis of the league of Arab States.

Dellfer

Dellfer

Dellfer secures connected cars and other IOT devices through Intrinsic protection, enabling the most sophisticated cybersecurity attacks to be seen instantly and remediated with precision.

eResilience

eResilience

eResilience is a division of Referentia Systems, a pioneer in an ultra-secure information safeguarding technique known as “Enclaving”, in which data can be segmented and protected within a network.

Cyber Smart Defense

Cyber Smart Defense

Cyber Smart Defense is a specialist provider of penetration testing services and IT security audits.

Aligned Technology Solutions (ATS)

Aligned Technology Solutions (ATS)

ATS manage, monitor, and maintain everything from your network and servers to your workstations and mobile devices, and we do it proactively to eliminate downtime and keep hackers at bay.

HCS

HCS

HCS is an IT Company and Telecoms provider with an experienced team who are dedicated to ensuring our clients business systems are protected.

Actelis Networks

Actelis Networks

Actelis Networks is a market leader in cyber-hardened, rapid deployment networking solutions for wide-area IoT applications.

Tausight

Tausight

Tausight is an AI-Powered patient data security startup with a mission of reducing healthcare cyber incidents using a more proactive, risk management philosophy.

ITRM

ITRM

ITRM are one of the UK’s top managed service providers and offer a range of award-winning IT solutions, from ad-hoc consultancy to cyber security.

CyberAI Group

CyberAI Group

CyberAI's mission is to pioneer the evolution of the cybersecurity landscape globally, by strategically acquiring and elevating IT consulting firms into leaders of cybersecurity innovation.