The Slatest

FBI Is Asking Everyone to Reboot Their Routers to Stop Russian Malware Infection

A participant attends the 34C3 Chaos Communication Congress of the Chaos Computer Club on December 27, 2017 in Leipzig, Germany.
A participant attends the 34C3 Chaos Communication Congress of the Chaos Computer Club on December 27, 2017 in Leipzig, Germany.
Jens Schlueter/Getty Images

The FBI made a bombshell announcement on Friday that is only starting to gain a bit of traction over the weekend. Russian hackers have developed a sophisticated malware system that has already infected hundreds of thousands of routers. The good news is that the recommendation on how to combat the infection is easy enough—turn it off and then turn it back on again. Anyone who has a home or small office router should go ahead and do that just to be safe.

“Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide,” the FBI said in its Friday public service announcement. “The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.”

On Wednesday, the FBI received a court order allowing it to seize a website that was allegedly going to be used to direct the hacked routers. While that move “cut off malicious communications, it still left the routers infected, and Friday’s warning was aimed at cleaning up those machines,” explains Reuters. To obtain the court order, the Justice Department said the hackers were part of a group called Sofacy, which also goes by the name A.P.T. 28 and Fancy Bear and is believed to be directed by Russia’s military intelligence agency. It is the same group that hacked the Democratic National Committee shortly before the 2016 presidential election, notes the New York Times.

Cisco’s Talos security team first revealed the existence of the malware on Wednesay and said more than 500,000 devices in at least 54 countries had been infected by the malware, known as VPNFilter. Devices made by Linksys, MikroTik, NETGEAR, TP-Link, and QNAP network-attached storage (NAS) devices are just a few of the manufacturers known to have been infected.

Symantec published a list of devices that are known to be vulnerable to VPNFilter:

Linksys E1200

Linksys E2500

Linksys WRVS4400N

Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072

Netgear DGN2200

Netgear R6400

Netgear R7000

Netgear R8000

Netgear WNR1000

Netgear WNR2000

QNAP TS251

QNAP TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link R600VPN

In addition to rebooting routers, the FBI is also recommending users to disable remote management settings, upgrade the firmware of their devices, and update their passwords.

Although the FBI’s advice is good enough, if you want to be extra careful you should follow Cisco’s suggestion to perform a factory reset in order to fully remove the malware from your router. “This generally involves using a paper clip or thumb tack to hold down a button on the back of the device for 5 seconds,” explains Ars Technica. “The reset will remove any configuration settings stored on the device, so users will have to restore those settings once the device initially reboots.”