Russian espionage software persistent in thousands of domestic routers

Share this…

Last May, the Justice Department asked US citizens to restart their routers, but there are still things to do

The Russian army is present within hundreds of thousands of routers owned by Americans and from other parts of the world, a U.S. security official said on Friday. The presence of Russian malware on the routers, revealed by enterprise network security experts since May, could allow the Russian government to steal people’s data or select their devices for a massive attack aimed at interrupting global economic activities and institutional tasks.

On May 27, Justice Department officials asked Americans citizens to restart their routers to stop the attack. Then the world forgot about it; “Forgetting it was a mistake, the Russian malware is still there”, said Rob Joyce, NSA advisor and former White House cyber security director.

According to reports from the International Institute of Cyber Security, last 8 May, experts in enterprise network security discovered an increase in the number of victims of a new malware, mainly in Ukraine. Called VPN Filter, the malware uses code similar to BlackEnergy, used by Russian forces to attack the Ukrainian energy infrastructure. American intelligence agencies believe that the culprits could be hackers known as APT 28 or Fancy Bear, Russian operatives behind the attacks on the Democratic National Committee, the State Department and others. The new malware, if activated, could allow the Russian army to observe the online activities of hundreds of thousands of people.

The malware runs in three stages, according to the specialists’ report. The first step is to change the non-volatile persistent memory of the infected devices, the part of the memory that persists even after the machine shuts down. During this phase, malware also establishes links to any server it finds.

Stages two and three consist of receiving and executing the hacker’s orders. These may include stealing victim’s traffic data, launching “Man-in-the-Middle” attacks, using the router as part of a botnet, or overwriting the memory on the router to make it useless.

“What is needed now is that professionals from government, industries, and enterprise network security find ways to tell people directly how to detect the presence of malware on their routers and then restore it for a safety use”, the security adviser mentioned.

Finally, like other enterprise network security experts, Joyce believes that malicious actions by governments like North Korea on financial institutions in other countries are likely to continue, particularly over cryptocurrency exchanges established in South Korea.