FANCY BEAR KNOWS ALL —

FBI seizes domain Russia allegedly used to infect 500,000 consumer routers

The sinkholing is a major coup but doesn't automatically kill VPNFilter infections.

The flag of Russia.

The FBI has seized a key domain used to infect more than 500,000 home and small-office routers in a move that significantly frustrates a months-long attack that agents say was carried out by the Russian government, The Daily Beast reported late Wednesday.

The takedown stems from an investigation that started no later than last August and culminated in a court order issued Wednesday directing domain registrar Verisign to turn over control of ToKnowAll.com. An FBI affidavit obtained by The Daily Beast said the hacking group behind the attacks is known as Sofacy. The group—which is also known as Fancy Bear, Sednit, and Pawn Storm—is credited with a long list of attacks over the years, including the 2016 hack of the Democratic National Committee.

As Ars reported earlier Wednesday, Cisco researchers said the malware that infected more than 500,000 routers in 54 countries was developed by an advanced nation and implied Russia was responsible, but the researchers didn’t definitively name the country.

VPNFilter, as the Cisco researchers dubbed the advanced malware, is one of the few Internet-of-things infections that can survive a reboot, but only the first stage has this capability. To compensate for the shortcoming, the attackers relied on the three separate mechanisms to independently ensure stages 2 and 3 could be installed on infected devices.

The ToKnowAll.com domain seized Wednesday hosted a backup server for uploading a second stage of malware to already-infected routers in the event a primary method, which relied on Photobucket, failed. VPNFilter relied on a third method that used so-called “listeners,” which allow attackers to use specific trigger packets to manually send later stages.

Major coup

Taking control of a command-and-control server is known as sinkholing. It allows researchers or law enforcement officers to monitor the IP addresses of infected devices that connect and to prevent them from receiving malware or malicious instructions. The seizure of ToKnowAll.com is a major coup because it closes a secondary channel and may also provide previously unavailable information the FBI can use to begin the process of helping ISPs and end users disinfect the devices.

Still, based on information provided by Cisco, the sinkholding doesn’t automatically stop VPNFilter in its tracks. Assuming the attackers captured the IP addresses of devices infected with stage 1, the attackers may still be able to use the listener to regain control of the devices.

In August, The Daily Beast reported, FBI agents in Pittsburgh, Pennsylvania, interviewed a local resident whose home router was infected with VPNFilter. The resident voluntarily let the agents analyze the device and attach a network tap that allowed the FBI to monitor traffic leaving the router. The agents used the tap to identify the way the malware worked.

On Tuesday, the FBI asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh to turn over control of ToKnowAll.com to agents. Lenihan granted the request on Wednesday. It’s not clear why it took nine months from the time the agents interviewed the router owner to their request of the domain seizure. Ars has much more about VPNFilter here.

Channel Ars Technica