Insights

DOJ Takes Action Against Sophisticated Botnet Linked to Russian DNC Hackers

DOJ Takes Action Against Sophisticated Botnet Linked to Russian DNC Hackers

On May 23, 2018, the U.S. Department of Justice ("DOJ") publicly announced its seizure of botnet infrastructure used by malware dubbed "VPNFilter." DOJ indicated that the sophisticated malware was linked to APT 28, the group private cybersecurity firms believe was responsible for hacking into the Democratic National Committee ("DNC") during the 2016 election. Of particular concern is VPNFilter's commonality with a sophisticated offensive malware campaign known as BlackEnergy in 2011–2015, which has been attributed to APT 28, targeting industrial control systems in the United States and the Ukrainian power grid.

Cybersecurity researchers indicate that the VPNFilter malware infects computers in three stages. The first stage installs a persistent "loader" onto an infected computer that calls out over the internet to download Stage 2 and 3 malware. Stages 2 and 3 in turn are capable of stealing website credentials entered by an infected user, monitoring SCADA (supervisory control and data acquisition) protocols, and even rendering an infected device unusable. VPNFilter is believed to have infected nearly 500,000 users worldwide in 54 countries. Researchers believe that VPNFilter is able to cause offensive damage en masse, further showing similarity to the destructive BlackEnergy campaign.

DOJ's actions have not ended the threat. VPNFilter is known to target Linksys, MikroTik, NETGEAR, and TP-Link routers in small and home office spaces, as well as QNAP network-attached storage ("NAS") devices. However, the extent of VPNFilter's targeting is still not known, particularly in light of the malware's capability.

Companies should take immediate action in rebooting all small or home office routers and NAS devices (even if not ones that are identified above) to eliminate any Stage 2 or 3 VPNFilter malware on their systems, and stay up to date on threat intelligence for further vulnerability updates. Furthermore, companies should maintain good security patch management programs and immediately ensure their devices contain updated patches.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.