FBI Warns Internet Users to Protect Routers from 'VPNFilter' Cyber-Attack

Security experts said the malware has already infected more than 500,000 devices in over 54 countries.

Published May 25, 2018

 (Piotr Adamowicz /
Image Via Piotr Adamowicz /

Federal officials and cyber security experts both warned Internet users to take steps to protect their home and office routers from an attack by a hacker group that has been linked to Russia.

The Federal Bureau of Investigation said in a statement on 25 May 2018 that foreign cyber actors had used a malware program known as VPNFilter to infect "hundreds of thousands" of home and office routers and other networked devices worldwide.

People using small office and home office routers have been advised to reboot their devices, as well as update their firmware and disable the ability for it to be susceptible to remote access. VPNFilter reportedly has at least one component that cannot be expunged through a simple reboot, making it easier for the user's device to be re-infected. At least two commercial router manufacturers, Linksys and Netgear, have posted guides for users to follow in securing their devices.

The bureau's warning came two days after a report from the Cisco Talos Intelligence Group estimating that at least 500,000 devices in more than fifty countries had been infected with the VPNFilter malware.

"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide," the group said in its report.

Officials have reportedly linked the spread of VPNFilter to a group known by the names Apt 28 and Sofacy, which has in turn been connected to the Russian government.

"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," Assistant Attorney General for National Security John C. Demers said in a statement from the Justice Department.

Talos said in its report that it noted a "sharp spike" on 8 May 2018 in the amount of devices infected with VPNFilter, nearly all of them located in Ukraine; that particular infection, the group said, was also different than the one hitting devices in other countries. It recorded another "substantial increase" nine days later in the same country.

"This continued to drive our decision to publish our research as soon as possible," Talos said.


Federal Bureau of Investigation. "Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide."     25 May 2018.

Netgear. "Security Advisory for VPNFilter Malware on Some Routers."     23 May 2018.

Largent, William. "New VPNFilter Malware Targets at Least 500K Networking Devices Worldwide."     Cisco Talos Intelligence Group. 23 May 2018.

Chalfant, Morgan. "FBI Working to Disrupt Massive Malware Network Linked to Russia."     The Hill. 24 May 2018.

United States Department of Justice. "Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices."     24 May 2018.

Arturo Garcia is a former writer for Snopes.