What is VPNFilter Malware? Russian Spyware Infects Networks

Person wearing a hooded shirt and a white mask, sitting in front of multiple computer monitors

Is your network part of the VPNFilter botnet that infected over 500,000 IoT devices and routers? The Russian spy group Fancy Bear launched a state-sponsored attack to create a botnet that spread to an estimated 54 countries, with a number of devices being located in Ukraine. In this article I’ll provide more information on this remote spying software so you can better protect your network against future exploits.

What Is This Malware?

VPNFilter is a politically-motivated advanced persistent threat (APT) suspected to be caused by the Russia-sponsored cyber espionage group known as Fancy Bear; this group has also been referred to as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team, and STRONTIUM by various organizations. This group is well known for previous attacks on government entities and stealing confidential files from the Democratic National Committee during the US 2016 election.

Fancy Bear is also thought to be responsible for the BlackEnergy attacks that targeted Ukraine’s power grid in December 2015. During the BlackEnergy attacks the information systems of energy companies were compromised, leading to a disruption of electricity to the population. The shocking ability of threat actors to cause disruptions to critical infrastructure by exploiting IoT vulnerabilities is a significant cause for concern as the prevalence of nation-state hackers increases.

Why VPNFilter is believed to be caused by Fancy Bear:

  • There are similarities in the code used for both BlackEnergy and VPNFilter
  • The spy software actively infected Ukrainian devices at a rapid rate with a dedicated command and control (C2) server for Ukraine.
  • On May 8, Talos discovered a sharp spike in infections, with a vast majority of the suddenly infected systems being located within Ukraine

The attack created a botnet of over 500,000 infected routers and network-attached storage (NAS) devices before being taken offline by a joint effort from the FBI and members of the Cyber Threat Alliance, with CTA member Talos playing a major role in the detection and research needed to discover the source of the attacks. 

How Does VPNfilter Infect Routers?

man holds an infected computer that says you've been hacked
Photo by Saksham Choudhary from Pexels

While the exact exploits that were used in the VPNFilter attacks were not discovered, the spyware was not found to be using any unknown zero-day vulnerabilities. The malware was instead thought to be using known exploits in routers that have since been patched by the router’s manufacturers. 

The most notable feature of the malware was its sophisticated multi-stage process and its ability to remain a persistent threat even when infected routers were rebooted. This behavior had set VPNFilter apart from the usual behaviors of known IoT malware as they are typically short-lived and easily disrupted following a reboot of the infected device.

The network spy software made use of three key stages during its lifecycle:

  1. In stage one, the network device is infected with an initial payload. During this stage the attacker is using the spyware to establish a backdoor that will be used to activate various modules in the later stages of the attack. The stage one malware remained on infected devices even after they were rebooted, allowing Fancy Bear to reinstall modules that would be used in later stages of the attack. 
  2. In stage two, the infected device used by the stage one malware to connect to a command and control (C&C) server that was responsible for the majority of the spyware’s capabilities. This stage allowed Fancy Bear to use VPNFilter to steal data and establish the means to remotely alter the routers and NAS devices, including the ability to destroy them by overwriting critical sections of their firmware.
  3. The third and final stage extended the capabilities of stage two by installing modules that allowed the spy software to harvest website credentials and collect network traffic data from SCADA devices. 

Why Are These Attacks Dangerous?

The attacks allowed the hackers to spy on infected networks and steal sensitive data, including usernames and passwords. During the attacks the computer spy software was able to convert encrypted HTTPS internet connections into unencrypted HTTP connections, allowing it to collect greater amounts of sensitive network data that could be used in developing espionage campaigns by Fancy Bear and its associates.

The dangers of VPNFilter:

  • Illicit monitoring can collect personal and financial data that will be used for identity theft
  • Cloud phone systems can be compromised and used for VoIP Fraud
  • Infected devices become part of a botnet that is used by the attacker
  • Login credentials can be collected through Man-in-the-Middle attacks to gain unauthorized access to accounts
A person holds their credit card in their hand while they shop online. Context: the VPNFilter malware can collect payment data from infected networks
Photo by Negative Space from Pexels

Throughout the investigations into the remote spying software, it was believed that it was purposely designed to be difficult to trace. The sophisticated methods used to cover the attacker’s tracks further increased the suspicion that these were a state-sponsored attack. 

Why the attacks were difficult to trace:

  • It sent the data it collected through the Tor network, an anonymized network that made it difficult for researchers to trace its network activities. 
  • The sheer number of infected network devices in the botnet was intended to make it difficult to verify the origin of the attacks by the time they established themselves in industrial systems. 
  • It’s ability to destroy the devices it infects on command could be further used as a method of covering the attacker’s tracks.

What Is A Botnet?

Botnets are a distributed network of compromised devices that are used by threat actors to expand their computing capabilities. With a botnet, cyber attacks can be transmitted over a wider attack surface with greatly increased efficiency.

Botnets are used to conduct a variety of attacks, including:

  • Distributed Denial-of-Service (DDoS) attacks, where the devices in the botnet overload servers with a sudden wave of incoming traffic. DDoS attacks disrupt operations by preventing users and administrators from accessing critical services that rely on the servers to function.
  • Email Spamming: Infected devices are instructed to flood the email inboxes of targets chosen by the threat actor. Email spamming can be used in conjunction with a DDoS attack to extort administrators by promising to cease the attack when a ransom or other resource is provided.
  • Spreading Malware: Devices within the botnet can be used to help increase the speed that malware is spread by forcing infected devices to spread the malware to other networks and devices.

How To Check If Your Router Is Infected With Malware

The malware targeted small and home office (SOHO) routers and NAS devices with known security vulnerabilities. If you believe that your router or NAS was potentially compromised, performing a full factory reset of the device will clear any remnants of the VPNFilter malware that may still be lingering. Factory resetting will require network admins to reconfigure the router from scratch, however it will be the best method for ensuring that the stage one spyware is no longer present. 

Be certain to update your device’s firmware after the reset and keep it up-to-date to ensure that your network is better protected against future exploits. If your router is no longer supported for security updates due to being past its end-of-life development, it is recommended that you update to a modern router that will receive these critical security patches. 

The below list from Talos indicates the devices that were known to be vulnerable to the attack. Fortunately, the manufacturers of these products have since released critical security updates to prevent future exploits. 

Linksys Devices:

  • E1200
  • E2500
  • WRVS4400N

Mikrotik Routers Versions For Cloud Core Routers:

  • 1016
  • 1036
  • 1072

Netgear Devices:

  • DGN2200
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000

QNAP Devices:

  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software

TP-Link Devices:

  • R600VPN

It’s important to note that this list is not necessarily extensive – other models could be vulnerable as well.

Software Tools For Fighting Spyware on the Network

Snort for Detection

Snort is an open-source network intrusion prevention system that includes an integrated packet sniffer and logger. During the attack, Talos released ‘rules’ for Snort that helped gives with the signals they needed for VPNfilter malware detection.

ClamAV for Prevention

Another Talos product, ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware, and other malicious threats. ClamAV includes signatures for fighting against remote spy softwares such as VPNFilter.

BrowseControl for Web Filtering & Blocking Ports

BrowseControl prevents malicious websites from being accessed and allows IT administrators to block network ports that are known to be used by threat actors. IT admins also used web filters to protect their network against VPNFilter by blocking the domains and IP addresses that were used in the attack.

How Internet Monitoring and Filtering Helped Protect Against the Spyware

During its investigation, Talos identified the indicators of compromise (IoC) that can be used to monitor for the network activities associated with the attack. While the core infrastructure for the computer spy software has since been taken offline, understanding the methods used to detect suspicious activity can help you to keep your router secure against future exploits. 

During the first stage of the attack, the spyware downloaded images from the image sharing website Photobucket. The downloaded images had EXIF data attached that was analyzed by VPNFilter to discover the IP address of the C&C server that is responsible for the second and third stages of the attack.

As the investigation unfolded, Talos shared a list of URLs and IP addresses that were known to be associated with the attack. To help defend against VPNFilter, network administrators blacklisted these URLs and IP addresses and monitored their networks for other suspicious internet traffic. 

How to Stop Network Devices From Becoming Infected

As sophisticated as the attacks were, the threat actors that were responsible are certain to take the lessons learned from and apply it to more sophisticated attacks in the future; to be better prepared to defend against the next wave, it helps to be aware of the methods you can use right away to increase the security of your network devices.

  • Change the Default Login: Any device that comes with default login credentials must have passwords changed to unique and secure passwords. Default passwords are typically known to attackers, making devices with default administrator passwords nearly as insecure as if they had no password at all.
  • Disable Remote Management: Routers often include features that allow them to be remotely monitored and managed. Unfortunately, this feature also provides attackers with a potential method for accessing your network. Unless remote management features are absolutely critical they should be disabled to prevent them from being exploited.
  • Disable UPnP: The Universal Plug and Play (UPnP) features that are included on some routers can be used by attackers to bypass the network’s firewall, making them more vulnerable to attacks that can be executed by simply visiting malicious websites.
  • Update The Firmware: Manufacturers of network devices regularly release security patches that protect against known vulnerabilities. The exact process for updating the firmware depends on the specific device and its manufacturer; some manufacturers include support for automatic updates to ensure that firmware is always up-to-date.


VPNFilter introduced the security community to the potential for nation-state hackers to use increasingly sophisticated methods as a method of cyberwarfare. While this specific threat has been taken offline, there will be more attacks in the future that attempt to exploit vulnerabilities in networking and IoT devices. Cybersecurity is an ongoing struggle that requires consistent upkeep and investment to keep networks and data safe from advanced persistent threats.

Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.