The Justice Department announced Wednesday that it had seized an internet domain that’s at the center of a Kremlin-backed hacking campaign, largely thwarting the potential weaponization of a network of more than half a million web-connected devices across the globe, experts say.
The network of infected devices, or botnet, was one of the largest of its kind, cybersecurity experts say, and capable of intelligence gathering as well as disruptive denial-of-service attacks, which could have cut off internet access to hundreds of thousands of people. Its “VPNFilter” malware had been detected in devices in 54 countries but was “actively infecting Ukrainian hosts at an alarming rate,” according to Cisco’s cyberintelligence unit, Talos.
The botnet is said in government court filings to be under the control of the Russian hackers known as the Sofacy Group. Private cybersecurity firms have said the group, also known as Fancy Bear, was behind the 2016 hack of the Democratic National Committee and likely affiliated with the GRU, the Russian military intelligence unit.
The move by the Justice Department this week to take over the website that underpins the botnet’s “command-and-control infrastructure” is “a critical step in minimizing the impact of the malware attack,” the head of the FBI’s cyber division, Scott Smith, said in a statement.
“All botnets have some kind of control point or command and control network,” explained Ashley Stephenson, a cybersecurity expert who’s the CEO of Corero Network Security.
Identified in court documents as “toknowall.com,” the domain acted as a reference center where infected devices would “phone home” to take malicious marching orders, Stephenson said.
“By seizing that domain, those bots now are talking to the FBI as opposed to the original malicious controller,” he said.
In a blog post this week, Talos, which researched the botnet alongside public-sector partners, says owners of all “small office/home office” router devices should restart the machines, eliminating one stage of the malware on the devices and causing a second to call out for instructions to the newly seized domain.The FBI-controlled server will capture the IP addresses of affected devices and a private-sector partner group, The Shadowserver Foundation, will work to scrub and restore them, the Justice Department said.
Marcus Christian, a former federal prosecutor who’s a partner at the cybersecurity practice of law firm Mayer Brown LLP, said the potential for devastation from the botnet made it a priority for enforcement by US authorities.
“This is not a wait and see type of attack,” Christian said.
Still, the takedown does not mean the hacking group Fancy Bear is crippled, and malware like VPNFilter that is distributed by nation-states and other hostile actors remains a national security threat.
“This is the latest publicized development in an ongoing effort to protect US citizens from cyberattacks associated with nation-states, but it’s just one step among many,” Christian said. “It’s one point in time in an effort that as far as we know will have no end.”