Cisco Talos published the VPNFilter analysis yesterday alongside an FBI public service announcement and a court-ordered seizure of a key C2 domain (Talos blog post on VPNFilter, May 23, FBI public service announcement). The botnet — at least half a million compromised consumer and small-office routers and network-attached storage devices, predominantly from MikroTik, Netgear, Linksys, TP-Link, and QNAP — has been operational under sustained development for at least a year. The targeting is concentrated in Ukraine, with substantial secondary populations across the rest of Europe, and the timing of the public disclosure is coordinated with the Ukrainian Champions League final next weekend, which is judged to be the likely target window for an operationally significant action.
The malware architecture is the most sophisticated of any consumer-IoT-targeting botnet I have seen written up. Three stages. Stage 1 is a persistent loader that survives device reboot — unlike Mirai-class implants which lose persistence on power cycle — and which downloads stage 2 from a configurable C2 mechanism that includes Photobucket image-EXIF-based fallbacks. Stage 2 implements a substantial set of operational capabilities — file collection, command execution, packet capture, traffic interception. Stage 3 modules add specific capabilities: a plugin for mapping and exploiting Modbus SCADA traffic, a plugin for HTTPS man-in-the-middle interception by exploiting weak TLS configurations on outbound traffic, and a destructive plugin that can render the host device unbootable. The destructive capability is the part that has the FBI operationally concerned — the actor can, on a coordinated trigger, brick approximately half a million network appliances simultaneously, with the second-order disruptive effect of taking out the connectivity of the affected populations.
The Talos analysis and the FBI announcement both attribute the botnet to the actor cluster known variously as Sofacy, Fancy Bear, or APT28 — in Western government attribution language, Russian state intelligence (GRU). The technical signatures, the operational tradecraft, and the targeting pattern are consistent with prior attributed activity by the same cluster. The court-ordered seizure of toknowall.com, the principal C2 domain in the disclosed analysis, has effectively neutralised the stage-2 acquisition path for currently-deployed implants, although stage-1 persists on devices and can re-acquire stage-2 if the actor stands up new C2 infrastructure.
The operational guidance is clean and unusually direct. The FBI is asking every owner of a SOHO router or NAS device to reboot it. The reboot kills stage 2 (memory-resident, removed on power cycle) and stage 3, leaving only the stage-1 loader, which without C2 contact does not actively re-infect. The reboot is therefore not a full remediation — stage 1 remains — but it is a substantial reduction in operational capability, and it can be performed by any user without technical expertise. The full remediation is firmware update where available, factory reset of the device, or replacement.
For our customer estates, the action this week is to identify any of the affected device models in customer infrastructure, to confirm those devices have been rebooted, and to verify firmware currency where vendor patches address the underlying access vectors. The vCISO portfolio's larger customers do not, in the main, run consumer-grade SOHO routers as production infrastructure, but several customers have remote-office and home-office deployments that include affected device models. The audit work is substantive but tractable. The home-office population — staff working from home with their own consumer routers — is harder to address; the customer-side advice is to push reboot-and-firmware-update guidance to the workforce, recognising that compliance will be partial.
The wider strategic point — and this is in line with the post-Mirai writing from late 2016 — is the IoT device population continues to be a substantial component of the threat landscape, and the responsibility for its security continues to be unclear. Mirai targeted consumer devices for DDoS purposes; VPNFilter targets the same population for surveillance, traffic-interception, and destructive purposes; the next campaign will target the same population for some other purpose. The structural problem — manufacturers shipping devices with weak security baselines, no patch infrastructure, and no operational ownership — has not improved measurably since 2016 despite increased regulatory attention. The EU Cybersecurity Act, which is in late legislative stages and will produce a certification framework for IoT devices (EUR-Lex on the Cybersecurity Act preparation), is the most concrete regulatory step. Whether it produces material change in device-shipping practice will be the question for 2019 and 2020.
The targeting concentration in Ukraine and the Champions League final timing is the part of the story that is going to drive a longer write-up. The pattern of cyber operations timed to politically or geopolitically significant events — NotPetya the day before Constitution Day, the BlackEnergy / Industroyer Ukrainian grid attacks at year-end — continues to be a feature of the operational landscape. The defensive implication for organisations whose calendar includes events of operational interest to a hostile actor is to elevate alert posture in the windows around those events. That is, on the customer side, an actionable practice; on the strategic side, it is a useful reminder that adversary operational planning takes calendar context seriously and so should defensive operational planning.
The Champions League final is on Saturday. The disclosure timing puts the relevant defensive measures in front of the right people in time.