Routers, Russians and the FBI
June 9, 2018
I cringe whenever complicated technical information makes it to USA TODAY and other mainstream media outlets. Not that there's anything wrong with USA TODAY or the other guys, they're just not equipped to handle the technical stuff. Kardashians? Sure. Router firmware infections? Mostly not. So I'm here to answer your questions.
Q: What's going on?
Back in April, security companies in the U.S. and the U.K. warned that "foreign actors" are infecting networking equipment with malware called VPNFilter to gain access to information and carry out cyber attacks. Last week, Cisco's security group, Talos, reported that VPNFilter had infected more than 500,000 routers.
Q: What's a router and do I have one?
Internet Service Providers (ISPs) use modems and routers to connect you to the internet. Your router may be built into the box with your modem. If so, call your ISP to find out if VPNFilter is affecting their routers. If you have two boxes with blinky lights, then the router belongs to you. Routers provide the WiFi signal for smartphones, tablets and computers to connect to the internet.
Q: Where did this VPNFilter malware come from and how did it get on so many routers?
Once a router is installed and everybody has WiFi, we tend to forget about them. Router manufacturers include a default username and password for the router. It's easy for "foreign actors" to use these defaults to target a router, which is how most of the infections took place. At least, we think that's what happened.
Q: Who are these "foreign actors?"
The US Justice Department said last week that the VPNFilter malware is the work of "APT28," the security industry code name for a group of Russian state-sponsored hackers also known as "Fancy Bear" and the "Sofacy Group." These same guys are accused of using Facebook and other social media to meddle in the 2016 U.S. presidential race. But don't worry, they're not targeting the US exclusively: VPNFilter is present in at least 50 countries.
Q: What does VPNFilter do?
According to the FBI, VPNFilter is capable of collecting information (spying) on network traffic, infecting other hardware on a network and turning an infected router into a useless brick.
Q: How can I tell if my router is infected?
The bad news is, you can't. So far, older routers still using the default username/password and old firmware have been targeted. Here's the list of the routers that have been identified as targets:
Linksys: E1200, E2500, WRVS4400N
Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
Just because your router is on the list doesn't mean it's infected.
Q: The FBI is recommending we reboot our routers. Will this fix the problem, if I have a problem?
It'll certainly help and here's why. In the first stage of infection, VPNFilter "phones home" to what's called a command and control (C&C) server to download more malware code to the router. This new code leads to stage two and three infections, which is where the really bad stuff can happen. The good news is that the US Department of Justice seized the domain used by VPNFilter's C&C server, which should cut down on further malware downloads. Rebooting your router removes any existing stage two or three infections in your router.
Q: You keep saying "reboot" my router. How?
To reboot your router, unplug it, either at the back of the router or at the wall outlet. Wait until the screams of "OMG, the WiFi is down!" get on your nerves, or 60 seconds or so, then plug the router back in. Once all the blinky lights come on, your router is rebooted.
Q: Rebooting takes care of stage two or stage three infections, how can I remove the stage one infection, assuming I have it?
The only way to be sure is to reset your router to the factory settings, change the default username and/or password, and update to the latest firmware. Linksys, Netgear and TP-Link all have pages set up to help you through these steps.
Even if you decide not to do all that and buy a new router, the same advice about changing passwords and updating the firmware applies. Oh, and turn off remote management, too.
Q: But it's a new router. Why do I have to update the firmware, whatever that is?
The router may new to you, but it was probably made a while ago. Then it sat in a box in a warehouse until someone ordered it, then it sat in a box on a slow ship across a big ocean, then it sat in a box in another warehouse until Amazon or an actual physical store ordered it and then you bought it and brought it home. So your new router probably has some firmware catching up to do.
Q: What's firmware?
Right, I almost forgot. You can think of firmware as "software for hardware," it's low-level computer code that controls the hardware in a device. Computer motherboards (it's called BIOS or UEFI), hard disks, solid-state drives (SSDs), printers, scanners, network cards, access points, range extenders, mice and keyboards, and computer mice all have firmware.
Check your inbox