The FBI seized a domain used to communicate with 500,000 infected routers Wednesday, cutting off a massive botnet that was possibly being used for a forthcoming cyberattack aimed at Ukraine.
The Department of Justice obtained a seizure order Wednesday that allowed U.S. law enforcement to seize “toknowall.com,” which was used as the command and control in the “VPNFilter” botnet.
VPNFilter was made public Tuesday, when it was announced that a combination of at least three groups — Cisco’s cybersecurity unit Talos, the nonprofit information sharing group Cyber Threat Alliance (CTA) and U.S. law enforcement — have all been quietly notifying companies about the early stages of a potentially expansive cyberattack against Ukraine.
In a seizure order made public Wednesday, the Department of Justice pinned the botnet on APT28, the hacking group known as “Fancy Bear.” The group is responsible for a number of high-profile hacks, including the 2016 hack of the Democratic National Committee.
“The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely,” said FBI Special Agent in Charge Bob Johnson. “These hackers are exploiting vulnerabilities and putting every American’s privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords.”
The FBI’s seizure affidavit gives more details on how investigators discovered the botnet: A women in Western Pennsylvania turned over her home router to the FBI after suspecting it was infected with some type of malware. From there, the FBI and several security experts found malware was communicating with various accounts on photo hosting website Photobucket. If infected devices could not communicate with the Photobucket account, they were instructed to connect to “toknowall.com.”
Researchers say that the VPNFilter-enabled botnet was capable of doing significant harm, including permanently disabling the hacked devices through a method known as “bricking,” which could cause thousands of companies to immediately lose internet connection and therefore likely lose business.
In addition to bricking a breached device, VPNFilter could also be used to steal website administrator credentials and for monitoring SCADA protocols. SCADA, an abbreviation of Supervisory Control and Data Acquisition, relates to data about industrial control equipment that’s used in power plants, nuclear facilities and manufacturing factories.
Big-brand routers like Linksys, MikroTik, NETGEAR and TP-Link were impacted by VPNFilter.
The public notifications on VPNFilter came ahead of a massive international soccer match, which will be hosted in Kiev, on May 26 and an important domestic holiday in Ukraine on June 28.
Last year, there was a delayed reaction inside Ukraine to the NotPetya attack due to it being launched a day before a Ukrainian holiday.
Ukraine has often been targeted in various Russia-linked cyberattacks, from the NotPetya attack to the 2014 BlackEnergy incident that caused widespread power outages in the country.
You can read the seizure affidavit below.