Entertainment

Binge This

World News

Dictators, Dissidents and Dangerous Places

Half Full

Eat. Drink. Think.

Politics

Non-Partisan, but Not Neutral

Photo Illustration by Elizabeth Brockway/The Daily Beast
GOTCHA

Exclusive: FBI Seizes Control of Russian Botnet

The FBI operation targets a piece of sophisticated malware linked to the same Russian hacking group that hit the Democratic National Committee in 2016.

Kevin Poulsen5.23.18 6:25 PM ET

FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.

The FBI counter-operation goes after  “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.

VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.

The FBI has been investigating the botnet since at least August, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware. “She voluntarily relinquished her router to the agents,” wrote FBI agent Michael McKeown, in an affidavit filed in federal court. “In addition, the victim allowed the FBI to utilize a network tap on her home network that allowed the FBI to observe the network traffic leaving the home router.”

That allowed the bureau to identify a key weakness in the malware. If a victim reboots an infected router, the malicious plugins all disappear, and only the core malware code survives. That code is programmed to connect over the Internet to a command-and-control infrastructure set up by the hackers. First it checks for particular images hosted on Photobucket.com that held hidden information in the metadata. If it can’t find those images—which have indeed been removed from Photobucket—it turns to an emergency backup control point at the hard-coded web address ToKnowAll[.]com.

One plug-in lets the hackers eavesdrop on the victim’s Internet traffic; another targets a protocol used in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.

On Tuesday, FBI agents in Pittsburg asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh for an order directing the domain registration firm Verisign to hand the ToKnowAll[.]com address over to the FBI, in order to “further the investigation, disrupt the ongoing criminal activity involving the establishment and use of the botnet, and assist in the remediation efforts,” according to court records. Lenihan agreed, and on Wednesday the bureau took control of the domain.

The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec, who confirmed to the Daily Beast that the domain was taken over by law enforcement on Wednesday, but didn’t name the FBI. “The payload itself is non-persistent and will not survive if the router is restarted,” Thakur added. “That payload will vanish.”

In other words, average consumers have the ability to stop Russia’s latest cyber attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.

“One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,” said Thakur. “Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”

The court order only lets the FBI monitor metadata like the victim’s IP address, not content. As a technical matter, Thakur said there’s no danger of the malware sending the FBI a victim’s browser history or other sensitive data. “The threat capability is purely to ask for additional payloads,” he said. “There is no data that is leaked from these routers to the domain that is now controlled by an agency.”

Cheat Sheet®

The 10 Most Important Stories Right Now

  1. 1. OLD HABITS

    North Korea Warns of ‘Nuclear Showdown’ if Summit Canceled

    After Trump said he’d be willing to call it off if Kim Jong Un won’t agree to the terms.

  2. 2. POSTURING?

    Trump Launches ‘National Security’ Probe Into Car Imports

    The move is widely seen as a prelude to possible U.S. tariffs on foreign vehicles amid stalled NAFTA talks.

  3. 3. SUSPENSEFUL

    Justice Dept. to Hold Bipartisan Briefing on Russia Probe

    Trump’s Republican allies are hoping to get details on the secret FBI informant the president claims “infiltrated” his campaign.

  4. 4. ‘Perjury Trap’

    Giuliani: Trump Should Do a Mueller Interview

    The president's lawyer expressed concerns, however, because “truth is relative.”

  5. 5. Your Not You're

    This App Helps You Craft Better Emails

    Ad by Daily Beast Shop

  6. 6. TWEETS FOR EVERYONE

    Federal Judge: Trump Can’t Block Users on Twitter

    Court ruled that it’s unconstitutional for the president to block someone because of their political beliefs.

  7. 7. STANDING UP

    NY Jets Co-Owner: I’ll Pay Fines for My Players Who Kneel

    Christopher Johnson, brother of Trump’s ambassador to the U.K., made the pledge hours after the NFL announced new rules.

  8. 8. SORRY

    Milwaukee Cops Apologize for Arresting, Tasing NBA Player

    Officers “acted inappropriately,” the police chief said.

  9. 9. OUT OF SIGHT, OUT OF MIND

    WH Considered Ignoring Federal Studies on Climate Change

    A memo also gave WH officials the option of developing “a coherent, fact-based message about climate science.”

  10. 10. OH BABY BABY

    FDA Cracks Down on OTC Baby Teething Products

    No more products carrying chemical benzocaine, a local anesthetic.