In late May and early June public reporting about a new type of malware called ‘VPN Filter’ surfaced and led to the FBI asking the public to restart or factory reset their routers. These steps would slow the progression of the malware, help the government identify potentially affected devices and eradicate the ability for the malware to ‘reach out’ to its controllers. According to the Justice Department, these controllers are a Russian government associated/backed group that also were responsible for attacks on the energy grid in Ukraine and for intrusive and aggressive intelligence gathering activities aimed at U.S. ICS/SCADA systems that were publicly disclosed earlier this year.

The malware was primarily researched and disclosed by Cisco’s Talos intelligence group. VPN Filter targeted consumer routers with known public vulnerabilities and began a three-stage attack. In stage one, the malware used embedded code in pictures uploaded to photobucket to establish a command and control relationship with an external server. Stage two incorporated more advanced exploitation “such as file collection, command execution, data exfiltration and device management”. This included the ability for an external attacker to ‘kill’ or ‘brick’ an infected router. Stage three went one step beyond stage two and incorporated plugins that could strip encryption from web traffic to preform reconnaissance and inject and modify web content. Additionally, details from Cisco about stage two and three also showed that VPN Filter tried to compromise end hosts, identify traffic related to Industrial Control and Supervisory Control and Data Acquisition Systems (ICS/SCADA), and infect new systems and routers.

A unique aspect of this malware was not necessarily its scope, it was reported to have an effect on over 500,000 devices worldwide, but its targets which were more likely to be devices owned by individuals or small businesses rather than large corporations or governments. In an earlier blog post, we discussed the need for cyber resilience at a community level and documented the susceptibility of local infrastructure to cyber threats. The average American may not know how to setup, restart or update the firmware on their router, let alone identify indicators of compromise or analyze code. VPN Filter strikes at the heart of this knowledge gap.

What is more concerning are the implications when VPN Filter is viewed in the broader context of cyber actions against the U.S. by foreign nations. Those attributed to Russia alone over the past several years have gone beyond the scope of just compromising machines to steal data and have sought to pull at the seams of U.S. Democracy by attempting to influence electionswiden societal dividesprobe voting systemsintercept the communications of our officials and put hands on the controls of our power plants and critical infrastructure systems. Stage three of the malware is particularly disturbing when viewed in the context of these ‘active measures’ and applied to an individual. The malware’s ability to manipulate web traffic to infected routers could in theory allow its operator to potentially conduct social engineering operations without the need for bots or trolls and instead actively redirect users to altered websites or inject and modify page content without the user’s knowledge.

In light of this malware and cyber history of recent years, it is time to view cyber resilience, from the most individual level to the highest of government as a significant part of democratic and societal resilience. As the Internet continues to permeate and support our everyday lives we must strive to create fundamentally secure systems and demand that devices that are sold to the public, like the routers targeted by VPN Filter, are designed with security ‘baked in’ and not solely for profit and marketability. If we as a country and society cannot pivot to a security and resilience first mindset in cyberspace, we risk losing the strength and stability of the critical systems and government we depend on as Americans.

As October is cybersecurity month, take this month to evaluate your current systems and cyber practices and understand that bettering and improving their security is not just in your personal or employer’s best interest, but by improving your node of the greater network and conduct as an Internet user, you help everyone whether they use the Internet or not.


Editor’s Note: A Global Resilience Institute-funded seed grant project is exploring the development of a resilient Internet-of-Things (IoT). The project views the emerging IoT as a socio-technical system: a set of technologies and practices that are embedded within larger economic, legal, political institutions. It convenes an interdisciplinary team of Northeastern faculty and researchers to investigate the ways in which resilient practices can be encouraged through technical innovation and institutional design. CLICK HERE to learn more.


About the Author

toll, nate headshotNate Toll is GRI Student Almuni. During his time as a GRI Research Assistant, he earned his master’s degree in Information Assurance and Cyber Security at Northeastern. Prior to joining GRI, he served in positions as Executive Officer of the Coast Guard Cutter RICHARD ETHERIDGE and Operations Officer on the Cutter SANIBEL.