May 23, 2018

Russia-linked malware infected 500k routers

A router

Routers from a variety of vendors are vulnerable to VPNFilter. Photo: Thomas Trutschel/Photothek via Getty Images

Cisco's Talos research group outlined a malware threat that has already infected 500,000 routers in 54 countries from a variety of manufacturers, with code substantially overlapping with known Russian attacks.

Why it matters: The threat, nicknamed VPNFilter, can infect Linksys, MikroTik, NETGEAR and TP-Link small business and home office routers as well as network storage devices. It can steal web site credentials, monitor commands to industrial systems and launch destructive attacks against the devices it infects. And it can do all of this beyond the reach of many types of network defenses that don't protect routers.

How it links to Russian intelligence: The code in VPNFIlter overlaps with Russia's BlackEnergy malware that has been used to attack energy infrastructure in Ukraine. The Talos report notes this is not a definitive link — another attacker may be coopting Russian malware — but VPN filter is aggressively targeting Ukraine.

Go deeper