A huge botnet consisting of at least 500,000 compromised routers and network attached storage devices has been detected by security researchers.

The botnet has been slowly growing since at least 2016 but somehow slipped under the radar. It’s infecting devices in at least 50 countries. The malware is known as VPNFilter and is largely targeting small office and home routers.

That said some enterprise routers have also been infected. The network attached storage devices are QNAP branded and tend to be used by corporates though some are used in the small office and home space.

What does it mean for me?

In short, the VPNFilter malware is capable of collecting communications and data and using the infected devices to launch cyberattacks at other targets.

Rather worryingly it also has a self-destruct command which reboots the device and renders it unusable.

Gulp, does that mean my router will be taken offline?

It’s unlikely.

  • Researchers believe there are strong similarities with earlier malware that was responsible for multiple large-scale attacks which targeted devices in Ukraine.
  • As such it suggests Russian-backed hackers are operating the botnet, although it’s impossible to know for sure.
  • At the same time researchers noted that VPNFilter is actively infecting Ukrainian devices at an alarming rate.
  • The botnet is also controlled by a command and control infrastructure dedicated to Ukraine.

BullGuard protects your computer from hackers and malware


Phew, I’m safe then?

  • VPNFilter is very sophisticated, multi-stage malware that allows attackers to spy on network traffic and attack critical infrastructure networks.
  • This means the same botnet infrastructure could easily be used to target critical infrastructure networks in other countries such as the UK, the US and Germany. It all depends on what the hackers have in mind.
  • But as is the nature of these botnets it is difficult to say definitively what it will be used for. Rather it’s a question of looking at the clues and reading between the lines.

So which routers has it infected to date?

Here’s the most recent list:
  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • TP-Link R600VPN
It also infected the Mikrotik RouterOS models 1016, 1036, and 1072 as well as the following network attached storage devices; QNAP TS251, QNAP TS439 Pro
and QNAP NAS devices running QTS software

What should I do if I own one of these routers?

  • You could pray but the simplest action is to reboot your device. This will temporarily disable the malware.
  • You should also return the router or NAS device to its factory settings. This is typically done by pressing and holding a reset switching while turning the device on and off again.
  • You should also check with the manufacturer’s website for the latest firmware update.
  • Also make sure you’re not using an easy-to-crack or factory default password.

And law enforcement?

Yup, even the FBI is involved, reflecting just how serious this botnet is considered to be:
  • In a statement the men in black said everyone (in the world?) who has small office and home office routers should reboot these devices to temporarily disrupt the malware.
As well as the advice offered above it also said: “Owners are advised to consider disabling remote management settings on devices” that is if you are using this feature and we’re guessing not many home users are.