FBI Warns Internet Users to Protect Routers from ‘VPNFilter’ Cyber-Attack

Security experts said the malware has already infected more than 500,000 devices in over 54 countries.

  • Published 25 May 2018

Federal officials and cyber security experts both warned Internet users to take steps to protect their home and office routers from an attack by a hacker group that has been linked to Russia.

The Federal Bureau of Investigation said in a statement on 25 May 2018 that foreign cyber actors had used a malware program known as VPNFilter to infect “hundreds of thousands” of home and office routers and other networked devices worldwide.

People using small office and home office routers have been advised to reboot their devices, as well as update their firmware and disable the ability for it to be susceptible to remote access. VPNFilter reportedly has at least one component that cannot be expunged through a simple reboot, making it easier for the user’s device to be re-infected. At least two commercial router manufacturers, Linksys and Netgear, have posted guides for users to follow in securing their devices.

The bureau’s warning came two days after a report from the Cisco Talos Intelligence Group estimating that at least 500,000 devices in more than fifty countries had been infected with the VPNFilter malware.

“The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” the group said in its report.

Officials have reportedly linked the spread of VPNFilter to a group known by the names Apt 28 and Sofacy, which has in turn been connected to the Russian government.

“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John C. Demers said in a statement from the Justice Department.

Talos said in its report that it noted a “sharp spike” on 8 May 2018 in the amount of devices infected with VPNFilter, nearly all of them located in Ukraine; that particular infection, the group said, was also different than the one hitting devices in other countries. It recorded another “substantial increase” nine days later in the same country.

“This continued to drive our decision to publish our research as soon as possible,” Talos said.

Since 1994
A Word to Our Loyal Readers

Support Snopes and make a difference for readers everywhere.

  • David Mikkelson
  • Doreen Marchionni
  • David Emery
  • Bond Huberman
  • Jordan Liles
  • Alex Kasprak
  • Dan Evon
  • Dan MacGuill
  • Bethania Palma
  • Liz Donaldson
  • Vinny Green
  • Ryan Miller
  • Chris Reilly
  • Chad Ort
  • Elyssa Young

Most Snopes assignments begin when readers ask us, “Is this true?” Those tips launch our fact-checkers on sprints across a vast range of political, scientific, legal, historical, and visual information. We investigate as thoroughly and quickly as possible and relay what we learn. Then another question arrives, and the race starts again.

We do this work every day at no cost to you, but it is far from free to produce, and we cannot afford to slow down. To ensure Snopes endures — and grows to serve more readers — we need a different kind of tip: We need your financial support.

Support Snopes so we continue to pursue the facts — for you and anyone searching for answers.

Team Snopes