FBI seizes domain behind major Russian botnet
The FBI has seized a domain linked to what’s believed to be a Russian botnet composed of 500,000 infected routers around the world. According to the Department of Justice, the botnet — that is, a network of computers infected with malware — is under the control of Russian hacking group “fancy bear” or “Sofacy.” Authorities believe the group was also behind the Democratic National Committee breach during the Presidential Elections in 2016. Sofacy reportedly use a malware called “VPN Filter” to exploit the vulnerabilities in home office routers manufactured by by Linksys, MikroTik, NETGEAR, and TP-Link and QNAP.
The Daily Beast says the malware reports back to an infrastructure — either a set of photos the hacking group uploaded on Phobucket or the URL ToKnowAll[.]com — once it has infected a router. That infrastructure then installs plug-ins that can steal log-in credentials or use computers to attack industrial control networks like the power grid’s. Photobucket already deleted those photos, and now authorities have seized the ToKnowAll[.]com to prevent the malware from being able to do anything harmful.
Based on the data the FBI gathered, the malware has to reconnect to an infrastructure every router reboot, so getting control of the ToKnowAll[.]com domain means being able to disrupt the botnet in a big way. The FBI will now be able to see the IP addresses of people whose machines had been infected with the malware. Symantec technical director Vikram Thakur explained to The Daily Beast: “One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs. Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”
Since the malware is known to be present in 54 countries, including the United States, router-makers are now encouraging users to reboot their devices and to install the latest firmware to patch the vulnerability.
(54)