Hackers Infected a Half Million Routers with Powerful Malware

Cybercriminals infected small office and home office routers with the VPNFilter malware. Here is what you need to know about VPNFilter, including what to do if you think router might be infected.


Routers are easy targets for hackers. These devices connect directly to the Internet, so accessing them takes little effort. Plus, most routers do not include built-in protection against malware. Further, known vulnerabilities in routers are often not patched by users since updating their firmware takes some know-how. Because it is so easy to hack routers, cybercriminals were able to infect a half million of these devices with a malware variant known as VPNFilter.

Here is what you need to know about VPNFilter, including what to do if you think one of your routers might be infected with it.

What You Need to Know

Security researchers at Talos recently discovered that cybercriminals had implanted the VPNFilter malware into networking devices used by small offices and home offices around the world. Devices found to be infected include Linksys, MikroTik, NETGEAR, and TP-Link routers as well as QNAP network-attached storage (NAS) devices.

VPNFilter turned the routers and NAS devices into a giant botnet. Security researchers and law enforcement surmised that the cybercriminals were planning to use the botnet to carry out a cyberattack in Ukraine since some of the code in VPNFilter was found in a malware strain used to cripple Ukraine’s power grid back in December 2015.

Fortunately, in May 2018, the US Federal Bureau of Investigation (FBI) seized the website that the hackers used to control the botnet, crippling their ability to carry out the planned attack. However, the danger is far from over. A half million devices are still infected with VPNFilter. The Talos security researchers found that one of VPNFilter’s code modules would allow cybercriminals to collect any data passing through a router or NAS device, including sensitive data such as passwords. Even worse, they discovered another code module designed to overwrite portions of the devices’ firmware, which would make the devices unusable. The situation is so serious that the FBI issued an alert about what the owners of small office and home office routers should do to protect themselves.

What You Need to Do

Symantec has compiled a list of routers and NAS devices known to be affected by VPNFilter. However, there is no easy way to tell if a device is infected. So, if your device is on Symantec’s list, it is highly recommended that you implement four security measures. Some security experts are even advocating that anyone with a small office router, home office router, or NAS device take these measures, even if their device is not on the list.

Here are the security measures:

  • Reset the device to its factory defaults. This will remove VPNFilter from your device if it is present and reboot the device. Note that simply rebooting the device removes some but not all of VPNFilter’s code. So, the device will still be infected.
  • Update your device’s firmware. The hackers exploited known security vulnerabilities to infect routers and NAS devices with VPNFilter. Updating your device’s firmware will patch those vulnerabilities and prevent your router from being re-infected in the future.
  • Disable the device’s remote management feature. Many routers and NAS devices have a remote management feature. While this feature offers convenience, it also makes it easier for hackers to break into your network.
  • Change the device’s default admin password. It is relatively easy for cybercriminals to find the default passwords for routers and NAS devices, so you should change the default password. Be sure to select one that is unique and strong.

Give us a call if you need assistance with implementing any of these measures.

Add a comment