In the ongoing cyber battle between the US Intelligence Community and the Kremlin, the FBI has won a victory. Armed with a court order, the FBI took control of a server used by Russian hackers to give the 500,000 infected routers in their botnet malicious commands. Court filings say that Sofacy Group, also known as FancyBear, the Russian hacking group that is likely affliated with GRU (Russian Military Intelligence) and responsible for the 2016 of the Democratic National Committee, controlled the botnet.
A botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge.
Federal investigators had been investigating the Russian botnet since August and caught a break when a Pittsburg resident whose router had been infected voluntarily relinquished her router and allowed the FBI to tap her network, enabling them to identify a weakness in the malware, The Daily Beast reports.
The FBI counter-operation goes after “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.
VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.
The tapped router led investigators to understand how the malware worked: when the router was rebooted, the malware code survives and turns to an emergency backup – the web address ToKnowAll[.]com. On Wednesday, federal Magistrate Judge Lisa Pupo Lenihan allowed the FBI to take over the domain.
The seizure of the botnet effectively prevents the malware from surviving a reboot, causing the device to reach out to the FBI instead of Russian hackers, and thwarts “the potential weaponization of a network of more than half a million web-connected devices across the globe”, CNN reports.
The network of infected devices, or botnet, was one of the largest of its kind, cybersecurity experts say, and capable of intelligence gathering as well as disruptive denial-of-service attacks, which could have cut off internet access to hundreds of thousands of people. Its “VPNFilter” malware had been detected in devices in 54 countries but was “actively infecting Ukrainian hosts at an alarming rate,” according to Cisco’s cyberintelligence unit, Talos.
According to CNN, everyone with a router should take measures to ensure their device is not infected.
In a blog post this week, Talos, which researched the botnet alongside public-sector partners, says owners of all “small office/home office” router devices should restart the machines, eliminating one stage of the malware on the devices and causing a second to call out for instructions to the newly seized domain.The FBI-controlled server will capture the IP addresses of affected devices and a private-sector partner group, The Shadowserver Foundation, will work to scrub and restore them, the Justice Department said.
Marcus Christian, former federal prosecutor and cybersecurity expert, points out that although the dismantling of VPNFilter averted potentially devastating consequences, FancyBear remains a threat after this defeat. This move is but one victory in an ongoing cyber war, with many adversaries around the world remaining a national security threat.
Why It Matters
The Trump Administration recently eliminated the cybersecurity coordinator position at the White House, leaving no one dedicated individual to oversee cyber threats or coordinate with private industry when threats emerge. The Senate Intelligence Committee recently release a report from their 16 month investigation of Russian meddling in the 2016 presidential campaign, concluding that Russian hackers conducted an unprecedented, coordinated cyber campaign against state election infrastructure and that the Department of Homeland Security’s initial response to the cybersecurity threat by the Russians was inadequate.
The FBI got a much needed victory against the Russians in this cyber battle but it is certain that the Kremlin will continue its cyber attacks and attempt to harm us in any way possible. The upcoming mid-terms will be the next target, with the 2020 presidential election in their sights after that.