An advanced malware attack, believed to be developed by a nation-state actor, has been discovered by Cisco’s Talos Intelligence research division. The attack, named “VPNFilter” in a Cisco blog post, has been found to infect routers manufactured by Linksys, MikroTik, Netgear, and TP-Link, as well as NAS devices by QNAP–all of which are products targeted toward the SMB and home office market.

Talos notes that their research is incomplete, though they have disclosed their present findings due to the attack, and number of infected devices, rapidly accelerating over the last three weeks.

VPNFilter is a uniquely troublesome attack, as the stage 1 implant–which primarily seeks out the location of the current stage 2 deployment server to load that portion of the malware–is able to persist across reboots. In the blog, Talos characterizes the stage 2 malware as “[possessing] capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management.”

Troublingly, versions of the stage 2 malware have a kill function, which bricks devices by overwriting the first 5000 bytes of /dev/mtdblock0, and then prompting a reboot. Stage 3 implants are known to exist as plugins that extend the function of the stage 2 malware. Talos has found evidence of a packet sniffer and a module that allows for communication over Tor, the post said, and suspects that other stage 3 implants exist. The group also indicated that “victim IPs appeared to demonstrate behavior that strongly indicated data exfiltration.”

SEE: Enterprise IoT research: Uses, strategy, and security (Tech Pro Research)

Interestingly, the stage 1 loader attempts to determine the address of the stage 2 host by downloading images from Photobucket, and reading an IP address stored in EXIF data as GPS coordinates, the post noted. If the hardcoded Photobucket URLs fail to load, the malware checks for an image at, and repeats the same process.

Talos has identified roughly 500,000 compromised devices in at least 54 countries, with the first evidence of this attack dating back to 2016. On May 8th, a “sharp spike” in infections was observed, with new infections appearing primarily in Ukraine, and most of the infected devices in that country having a unique stage 2 infrastructure compared to the rest of the world. Another increase in new infections was observed on May 17th.

This is not the first time a significant attack in Ukraine has been observed. An attack in December 2015 resulted in the shutdown of about 30 substations, leaving more than 225,000 people without power for 1-6 hours. This attack, known as BlackEnergy, is theorized to be of Russian origin. While Talos researchers do not specify in the blog where they believe the attack to originate, they do indicate that VPNFilter shares nontrivial similarities to BlackEnergy, as well as emphasize that this has the signature of being a nation-state attack. Both attacks have functions to monitor SCADA communications used in industrial settings.

As noted in a report by Motherboard, the Ukrainian Security Service specifically calls out Russia as being the originator of the attack, and speculates that the attack is intended to destabilize the Champions League finals scheduled for Saturday, May 26th.

A report in The Daily Beast indicates that the FBI has seized the domain used in the stage 1 implant. As the stage 2 and 3 components do not survive a reboot, and with the removal of the associated images on Photobucket, this effectively neutralizes the threat. Users with devices known to be targeted by VPNFilter are advised to ensure they have applied the most recent available security update.

This advice is echoed by security researcher Lorenzo Santina, who has extensively researched issues in MikroTik routers. In an email to TechRepublic, he noted that “Mikrotik is very fast fixing vulnerabilities, but the main problem is that sysadmins do not update these devices for months leaving them exposed to these attacks.”

The big takeaways for tech leaders:

  • The VPNFilter malware has infected at least 500,000 Linksys, MikroTik, Netgear, and TP-Link routers, as well as QNAP NAS systems in 54 countries.
  • Talos does not specify where they believe the attack originates from, though the Ukranian Security Service indicates that Russia is the likely culprit.