Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
VPNFilter: a nation state campaign for surveillance and destruction
May 24, 2018


VPNfilter is a campaign to compromise small office and home routers as well as Network Attached Storage devices from several popular manufacturers. According to a Cisco Talos blog, there are upward of 500,000 infected devices already and the list may not be exhaustive. The malware used has surveillance capabilities as well as destructive capabilities, including the ability to render the infected device unusable permanently.




VPNfFilter has been lurking in the shadows for the better part of the last two years. It is unknown whether it uses any sophisticated means to breach internet connected devices, but the prevailing thinking in the security community is that it is exploiting previously known and unpatched vulnerabilities or just weak or default passwords. The malware is fairly sophisticated as it has multiple layers of redundancy in communicating with its command and control servers, using photo sharing site Photobucket, the specific hardcoded domain toknowall[.]com and a fallback plan of direct connection from the attackers to the compromised device itself. At some point in this fallback plan, it will open a socket connection and listen in on incoming packets looking for the specific packet from it's C2 server that will trigger an action.


As with any sophisticated implant, VPNfilter is capable of accepting a secondary payload that will perform most of the malware functions, but can also be augmented with purpose-built plugins. Two of the known plugins provide capability to sniff traffic looking for credentials or Modbus SCADA protocol and use TOR for communication. It is capable of doing anything a botnet can do, and more. The troubling part is its capability to wipe out a critical section of the infected device’s firmware rendering it permanently non functional, unless you are good with a soldering iron. If the threat actor behind this campaign pulls the trigger on this capability, hundreds of thousands of users will lose their connection to the internet until they purchase a new router.


There is evidence that the authors of this malware are the same as the authors of the BlackEnergy malware which crippled Ukraine’s energy grid in December 2015 and which the US Government attributed to Russian state actors. Additionally, Cisco observed on May 8 a heightened compromise activity focused on Ukrainian targets. Given that Ukraine’s Constitution Day on June 28 is fast approaching and given that Ukraine has suffered cyber attacks around this day in the past, there is circumstantial evidence that this build up is for an impending attack.


Call to action


Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboot their home routers and NAS devices once. This will remove any second and third stage malware from their device since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with the law enforcement efforts to take down the known command and control infrastructure and the efforts by security vendors who provide equipment to Internet Service Providers, the threat should be partially mitigated. Additionally, make sure your device is patched to the latest firmware version released by the manufacturer, ensure default passwords are changed and disable any internet facing non necessary services, like remote management UI, SSH, Telnet, Ftp, etc.


Thanks to the Cyber Threat Alliance partnership that Juniper Networks is a member of, we have been able to put in place mitigation against all known actionable IOCs from this campaign.

May 24, 2018
Trusted Contributor

Worth watching Mounir Hahad's Q&A video: