Matrix Posted May 28, 2018 Share Posted May 28, 2018 The hacking has been attributed to Fancy Bear, the Russian group that hacked the DNC. U.S. law enforcement is trying to seize control of a network of hundreds of thousands of wireless routers and other devices infected by malicious software and under the control of a Russian hacking group that typically targets government, military and security organizations. FBI Special Agent in Charge Bob Johnson said: “These hackers are exploiting vulnerabilities and putting every American’s privacy and network security at risk.” Start your day with the news you need from the Bay Area and beyond. Sign up for our ew Morning Report weekday newsletter. Johnson encouraged people and businesses to take several steps: First, reboot the device, which can disrupt the malware if it is present. Second, update network equipment and change passwords — though he cautioned “there is still much to be learned about how this particular threat initially compromises infected routers and other devices.” In a statement issued late Wednesday, the Justice Department said the FBI had received a court order to seize a domain at the core of the massive botnet, which would allow the government to protect victims by redirecting the malware to an FBI-controlled server. The DOJ attributed the hacking campaign to the group known as Sofacy, also known as Fancy Bear. While the statement did not explicitly name Russia, Fancy Bear is the Russian military-linked group that breached the Democratic National Committee in the presidential election. “This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” said Assistant Attorney General for National Security John Demers. The announcement of law enforcement’s salvo came just hours after cybersecurity researchers from Cisco’s intelligence unit Talos warned that sophisticated hackers had infected at least 500,000 devices in at least 54 countries with the malware dubbed “VPN Filter.” Much of the attention at first focused on an apparently imminent threat in Ukraine: The malware showed up in devices there at such “an alarming rate” in recent weeks that the researchers believed hackers linked to a state government were preparing an extensive cyberattack on the country, the researchers said. While the researchers themselves did not name Russia, they did say the malware had some of the same hallmarks of recent Russian government-backed hacking campaigns that took out parts of the country’s power grid. “The code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine,” Talos said in a blog post. The U.S. government and security experts have attributed those attacks to Russia. The latest campaign fits a pattern of influence operations the Russian government has used in recent years to upend life in Ukraine as part of a strategy to exert influence on the digital stage, said Nina Jankowicz, a fellow at the Wilson Center. “Ukraine has always been a proving ground for Russian cyberactivity,” she told me. “Russia is asserting its cyber prowess. It wants the United States and the West to know what it’s capable of without having to launch an attack on a Western government, which would draw retribution.” Yet in this case, it’s not surprising that the threat was a priority for U.S. law enforcement — and not just because Russia has been in the spotlight for its interference campaign in the 2016 election. Earlier this year, the White House publicly blamed Russia for the NotPetya cyberattack in June 2017, when Russian military hackers shut down networks across Ukraine and wiped data from financial firms, government offices and other institutions around the world. The White House said it was the “most destructive and costly cyberattack in history” and vowed that it would “be met with international consequences.” Craig Williams, the head of Talos’s security team, told me that under a worst-case scenario, the mass of infected devices was powerful enough to be used to carry out a “potential sequel” to the NotPetya attack. “We’re rolling right up on the anniversary of that attack,” Williams said. If hundreds of thousands of routers get knocked out simultaneously, he said, “that will have a very similar impact to NotPetya.” Williams called VPN Filter the “Swiss army knife for malware.” In addition to using it for espionage purposes, the malware has the potential to intercept communications on industrial control systems used throughout the energy sector and by manufacturers, water treatment facilities and other critical infrastructure operators. It also has a destructive capability known as “bricking” that allows the malware to permanently disable any device infected with it. By infecting consumer wireless routers, hackers were targeting an especially weak link in computer networking, said Michael Daniel, president of the Cyber Threat Alliance, of which Cisco is a member. It’s “particularly pernicious because it targets the kind of device that’s difficult to defend,” he told me. “They sit on the edge of the network or on the outside of the firewall. They don’t really have antivirus for routers.” The FBI and the Department of Homeland Security have notified trusted internet service providers of the malware, according to the DOJ. Cisco said users can disable the malware beyond its first stage by rebooting their routers. source Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.