VPNFilter, a Nation State Operation

This Cyber Security Info Note reviews the recent disclosure of a sophisticated malware affecting 500,000 networking devices dubbed VPNFilter.

June 11, 2018


The recent disclosure of a sophisticated malware affecting 500,000 networking devices is making headlines around the world. It followed several warnings made by manufacturers, security researchers and law enforcement concerning a malicious operation classified as a state sponsored. The malware dubbed VPNFilter - initially affecting Ukrainian hosts - is now spreading over 54 countries at an alarming rate. Researchers attributed this malware to a Russian state-sponsored hacking group Sofacy (also known as Fancy Bear and APT28) just weeks after the discovery of “Lojack” attack, attributed to the same group. Researchers were conclusive determining this as a global, broadly deployed threat that is actively seeking to increase its footprint.

Contextual Information

The research of the VPNFilter threat has been ongoing since 2016 leading to a stage where researchers agreed to disclose before concluding it. The versatile and persistent behaviour of this malware on networking devices is generating great concern among security professionals and authorities around the world. In its multi-stage and modular capabilities is able to support the collection of intelligence, misattribution and destructive cyberattack operations. Moreover, it has a range of capabilities including data exfiltration, spying on traffic and ultimately rendering the infected device unbootable. According to the researcher, the malware code overlaps with versions of the BlackEnergy malware, which was responsible for multiple large-scale attacks that targeted devices in Ukraine.

Known VPNFilter capabilities

  • Adopts a multi-stage architecture, in which some of the more complex functionality runs only in the memory of the infected devices;
  • Contains a payload capable of self-destructing by overwriting critical portions of the device's firmware and rendering the infected device unbootable. This capability can be triggered individually or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide;
  • Allows C2 anonymous communication over TOR network or SSL-encrypted connections, meaning it will be hard to notice on regular network traffic checks.
  • Include typical workhorse intelligence-collection capabilities such as traffic monitoring, file collection, command execution, data exfiltration and device management.
  • Modify non-volatile configuration memory (NVRAM) values to add itself to the device crontab (Linux job scheduler) to achieve persistence.
  • Downloads images from a gallery (Photobucket) to extract the download server IP address from the GPS six-integer value stored in the EXIF information, to achieve persistence.
  • Use the infected device as a hop point before connecting to a final victim obfuscating the true point of origin.

VPNFilter attack vector

VPNFilter attack vector is based on the exploitation of SOHO/NAS network devices vulnerabilities to gain initial access to the targets. Once the malware gains control over the device, is capable of executing a variety of malicious actions and deploy additional payload in a persistent way. Researchers were not able to confirm if the exploit of zero-day vulnerabilities is involved in spreading this threat.

VPNFilter Kill-Chain

  • Installation – The attacker injects malware into devices running firmware version based on Busybox and Linux. The main purpose is to gain a persistent foothold and enable the download and deployment of additional malware in a persistent way.
  • Command & Control - Utilizes multiple redundant C2 mechanisms to discover the IP address of deployment servers, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.
  • Actions on Objectives – The attack is executed using a variety of capabilities such file collection, command execution, data exfiltration, device management and firmware overwrite among others. Additionally, the malware introduce multiple modules serving as plugins providing additional functionality. The researcher identified two plugin modules: a packet sniffer for collecting traffic that passes through the device including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module over the TOR network.

Affected devices

While the research is still ongoing, the current estimated number of infected devices is ca. 500,000 spread over 54 countries. The known device models affected by VPNFilter range from different manufacturers naming Linksys, MikroTik, NETGEAR and TP-Link in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. An updated list of affected devices can be found at the researcher’s web site.

Mitigation challenges

The targeted devices are frequently found on network perimeters, with no intrusion protection system (IPS) in place, and typically have no available host-based protection system making it more difficult to protect. Furthermore, affected manufacturers published recommendations to device owners but failed to provide assurance for older versions that have known public exploits and default credentials making the compromise relatively easy. To mitigate this risk, victims are required to hold technical knowledge that in most cases they do not have.

Internet service providers (ISP) play an important role in mitigating this threat. Service providers typically supply these type of devices as part of an internet subscription package, and in some cases, remotely manage them. In this case, ISPs are required to assess which customers are using affected devices and advise on a course of action.

Recent reports reveal that law enforcement agencies such as the FBI, are seizing domains such as “toknowall.com” and “photobucket.com” used by the malware. Researchers and authorities believe that these domains are linked to the Russian group Sofacy, also known by the names “APT28,” “Sandworm,” “X-agent,” “Pawn storm,” “Fancy bear” and “Sednit”. These actions will help containing the incident temporarily, but will not resolve the underlying problem.


  • Users of SOHO routers and/or NAS devices to reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent malware.
  • Ensure that the device is up to date with the most recent firmware/software version by contacting manufacturer.
  • Avoid using the default password for the administrator account.
  • If possible, install a malware remover tool and run a full scan.
  • If the device is not maintain by a service provider, access the device admin page and turn off the remote management option in the advanced settings.
  • Internet service providers that remotely maintain SOHO routers to reboot and update the firmware on their customers' behalf.
  • ISPs and/or device owners to replace the equipment, if in the list of affected devices.

Closing Remarks

Several factors are determining the seriousness of the VPNFilter threat: the different capabilities that this malware presents, its fast and wide spread and the difficulties in mitigating the risks due to technical and human challenges. Much is still to uncover while researchers investigate the threat, assess the impact and better understand the malicious actor motivations. Users, industry, ISPs and law enforcement have a critical role in providing adequate response to this incident, that if not properly contained, may configure a similar or even higher scale to what was observed last year with the WannaCry and NotPetya aggressive outbreaks.

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies