DOJ Takes Action Against Sophisticated Botnet Linked to Russian DNC Hackers

DOJ Takes Action Against Sophisticated Botnet Linked to Russian DNC Hackers

On May 23, 2018, the U.S. Department of Justice ("DOJ") publicly announced its seizure of botnet infrastructure used by malware dubbed "VPNFilter." DOJ indicated that the sophisticated malware was linked to APT 28, the group private cybersecurity firms believe was responsible for hacking into the Democratic National Committee ("DNC") during the 2016 election. Of particular concern is VPNFilter's commonality with a sophisticated offensive malware campaign known as BlackEnergy in 2011–2015, which has been attributed to APT 28, targeting industrial control systems in the United States and the Ukrainian power grid.

Cybersecurity researchers indicate that the VPNFilter malware infects computers in three stages. The first stage installs a persistent "loader" onto an infected computer that calls out over the internet to download Stage 2 and 3 malware. Stages 2 and 3 in turn are capable of stealing website credentials entered by an infected user, monitoring SCADA (supervisory control and data acquisition) protocols, and even rendering an infected device unusable. VPNFilter is believed to have infected nearly 500,000 users worldwide in 54 countries. Researchers believe that VPNFilter is able to cause offensive damage en masse, further showing similarity to the destructive BlackEnergy campaign.

DOJ's actions have not ended the threat. VPNFilter is known to target Linksys, MikroTik, NETGEAR, and TP-Link routers in small and home office spaces, as well as QNAP network-attached storage ("NAS") devices. However, the extent of VPNFilter's targeting is still not known, particularly in light of the malware's capability.

Companies should take immediate action in rebooting all small or home office routers and NAS devices (even if not ones that are identified above) to eliminate any Stage 2 or 3 VPNFilter malware on their systems, and stay up to date on threat intelligence for further vulnerability updates. Furthermore, companies should maintain good security patch management programs and immediately ensure their devices contain updated patches.

Lawyer Contacts

For further information, please contact your principal Firm representative or the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at

James T. Kitchen

Jay Johnson

Todd S. McClelland

Jeff Rabkin
San Francisco / Silicon Valley
+1.415.875.5850 / +1.650.739.3954

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.