Justice Department seizes internet domain linked to botnet in move to halt bug

The US Justice Department last night seized an internet domain belonging to the Russian-linked VPNFilter botnet, which has infected 500,000 computers worldwide.

VPNFilter has so far infected half a million devices, many of which are believed to be in Ukraine.

The malware, which can allow malicious actors to completely control – and even destroy – a computer, is believed to have been spread by Russian hacking group Fancy Bear, also known as Sofacy, APT28, Pawn Storm, and Sandworm.

A US Justice Department statement read: “The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office routers and other networked devices under the control of a group of actors known as the Sofacy Group.”

“The group, which has been operating since at least in or about 2007, targets government, military, security organizations, and other targets of perceived intelligence value.”

The VPNFilter botnet, which has infected IoT devices in 54 countries, can intercept and steal data as well as render an infected device completely unusable.

It can also be used to launch a large-scale attack on infrastructure, researchers have warned, and possibly disable internet access for hundreds of thousands of people.

Although seizing the internet domain won’t halt the attack, it will allow those who have infected systems the chance to reboot while the US and security firms look to disable it.

However, a report into the malware noted that the first stage of the malware persists through a reboot – setting it apart from other types of IoT malware, which usually don’t survive a reset.

The report, released yesterday by security firm Talos, detailed their investigation into VPNFilter.

Talos claimed VPNFilter is likely to have been spread by a state actor, or a state-sponsored actor, and said it has high confidence that the Russian government is behind it.

The report read: “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes.”

Devices infected by VPNFilter – which was named after the phrase was discovered in the coding – include those manufactured by Linksys, MikroTik, Netgear, TP-Link, and QNAP.

Today, Cisco – parent company of threat lab Talos – told The Daily Swig that they still cannot confirm how the malware was spread.

Rumors regarding the purpose of the attack have since been spreading throughout the infosec community, with many suggesting an assault on Ukraine is imminent.

Ukraine’s state security service warned last night of an attack on government and private companies ahead of the Champions League football final on Saturday night.

Other reports suggested an attack on critical infrastructure could be launched ahead of Ukraine’s Constitution Day on June 28.

For its part, Russia has denied any accusations of hacking or other cyber-attacks against other states.

In June 2017, the NotPetya attack disabled computers in Ukraine before spreading across the globe.

Other notable hacks linked to the Fancy Bear group include the 2016 attack on the World Anti-Doping Agency (Wada), which leaked the classified medical records of major sports stars including Serena Williams and Bradley Wiggins.