
According to a new warning recently published by the FBI, routers are the latest target for a certain type of hacker. It is estimated that more than half a million-small business and home routers have been infected. The code, malware called VPNFilter, is a spy tool, but is believed to have many more sinister uses as well. Here’s what you need to know.
FBI Warning
On May 25, 2018, the FBI issued a public service announcement regarding the VPNFilter, recommending that anyone who owns a home office or small office router to power cycle, or reboot, them. They warned that the malware used by these foreign cyber actors targets office and home routers as well as networked devices all over the world. The malware is believed to have the ability to perform a number of functions including information collection, blocking network traffic, and exploiting devices.
The VPNFilter infects the routers, rendering them inoperable. There is a great potential that any information that is passed through the router can be collected by the malware. However, it is difficult to analyze or even detect the malware’s activity over the network because it utilized mis-attributable networks and encryption.
What is the VPNFilter Malware?
The VPNFilter malware is a multi-stage, malicious software that is designed to disable or damage computer systems as well as collect intelligence, including personal data. It is modular, so even when some components are removed, others may remain, essentially leaving the door open for future infections.
Stage 1 of the malware remains even after a reboot. This makes it more of a threat that other types of malware which usually are purged once the device is rebooted. The primary role of stage 1 is to enable Stage 2 of the malware to be deployed as well as to attain and maintain a foothold in the device, leaving it vulnerable to future attacks.
Stage 2 is the working part of the malware, collecting files, exfiltrating data, executing commands, and managing devices. In most cases it can be purged with a reboot, but some versions have a self-destruct mechanism that overwrites a critical part of the firmware for the device and reboots it. This makes it unusable. Experts who have observed the actor’s manipulation of the malware conclude that they have extensive knowledge of the devices, indicating that the self-destruct capability could be deployed even if it is not built into that stage.
Stage 3 is a plugin for stage 2, providing the actor with additional functionality. There are many different versions, each with different purposes such as collecting traffic as it passes through the router, stealing website credentials, Modbus SCADA protocols monitoring, and more. Experts are aware more plugins exist, but have not yet identified them.
Who is at Risk?
Homes and small businesses with routers and network storage devices are the identified risk categories. Some of the known devices that are affected or most likely to have the malware include certain (typically older) models from QNAP, Mikrotik, TP-Link, Linksys, and Netgear:
- Linksys: E1200, E2500, WRVS4400N
- Mikrotik: 1016, 1036, 1072
- Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
- QNAP: TS251, S439 Pro, other QNAP NAS devices running QTS software
- TP-Link: R600VPN

It can be very difficult to tell if your device has been affected. At one time, shortly after the threat was identified, experts claimed that the chances someone is operating a router that has been infected are actually quite small. More recent data is showing the threat may be more serious and detrimental than initially thought. Nevertheless, people who use routers for their home office or small office are advised to perform a reboot of their devices. Their firmware should also be updated and the ability for the device to be accessed remotely should be disabled.
The problem is, at least one of the components of the VPNFilter cannot be purged by performing a reboot. And this lingering component is what makes it easier for the device to be infected again. This means that users have to take additional steps to secure their devices.
Preventative Measures

The FBI and the router manufacturers both recommend rebooting your router – but for different reasons. From the FBI’s standpoint, the reboot will destroy to component of the malware that is active on your system, allowing the hackers to access your files. However, when the component that remains intact attempts to re-access your system and download the malware again, the FBI can trace it and hopefully find the source.
To stop any attacks, the router manufacturers recommend doing a factory reset which will require you to reconfigure all of your network settings. It is also a good idea to change your default password.
Want to know more about protecting yourself from the VPNFilter malware? Give us a call and talk to one of our experienced, friendly techs to get the information you need to keep your information safe.
PS LIGHTWAVE is the consultative data-connectivity provider for public and private entities in the Greater Houston area. Through our high-quality infrastructure, innovative technology and superior level of support, we deliver not only the best in connectivity and reliability but in scalability and redundancy. You’ll also appreciate that the PS in our name stands for “Pure Speed.” We fully understand that technology is a moving target, and we understand the people and infrastructure of the Greater Houston area. We are nimble, flexible and responsive, and we embrace leading-edge technologies that improve the customer experience. We invite you to learn more. Visit our website or contact us. Concerned about connectivity? Think PS LIGHTWAVE.