Spiria logo.

VPN Filter malware

May 23, 2018.

TP-Link router.

TP-Link router. © iStock.

VPN Filter, a sophisticated malware, uses known vulnerabilities to infect routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. Once installed, the malware uses a central infrastructure to install specialized plug-ins on the router. One plug-in allows hackers to listen to their victims’ Internet traffic to steal their Web identifiers; another one targets a protocol used in industrial control networks, such as in the power grid. A third plug-in allows attackers to paralyze any or all infected hardware. Together, all of the infected units in dozens of countries make up a 500,000-router strong botnet controlled by a Russian hacker group called Sofacy. However, the FBI has likely dealt a fatal blow to the botnet by erasing Photobucket photos whose metadata was being used by VPN Filter, and by seizing the domain name of a backup infrastructure after a federal court judge ordered the transfer of the name by domain registrar Verisign.

Ars Technica, “Hackers infect 500,000 consumer routers all over the world with malware.”

Ars Technica, “FBI seizes domain Russia allegedly used to infect 500,000 consumer routers.”