Skip to main content

New VPNFilter malware targets routers and NAS boxes worldwide

Audio player loading…

A virulent new strain of malware has infected more than half a million consumer and small-business networking devices, it has been revealed. 

Dubbed 'VPNFilter', according to researcher’s at Cisco Systems (opens in new tab)' security division, Talos, the infection targets numerous routers and network-attached storage (NAS) devices from major manufacturers such as Netgear, QNAP, TP-Link and Linksys. 

The malware is able to spy on network traffic and potentially steal website usernames and passwords, and can also be used to ‘brick' infected devices, rendering them inoperable.

Although the exact creator of the malware is as yet unknown – and if other recent attacks are an indication, it will likely remain so – after working with law enforcement as well as private- and public-sector partners, Cisco has stated that the "sophisticated modular malware system” appears to be the work of a state-sponsored or state-affiliated actor.

Target local, spread global

The malware’s creators appear to be focused on infecting devices located within Ukraine, although the virus has been discovered hiding on equipment located in 54 countries across the globe. 

Certain parts of the code used in VPNFilter match that found in an earlier malware strain called BlackEnergy, which also heavily targeted Ukrainian devices and was used in several large scale attacks.

The malware is designed in such a way that it can have additional capabilities added after the initial device infection and, unlike many other viruses targeting Internet of Things gear, it could initially persist after a device had been rebooted – although, according to The Daily Beast (opens in new tab), the FBI has reportedly managed to seize a server being used by the botnet, which has subsequently disabled VPNFilter's ability to reactivate itself after a reboot.

Cisco recommends that infected users reset their devices to factory defaults and then reboot them, which should remove the "potentially destructive, non-persistent stage 2 and stage 3 malware".

The networking company has also released the model numbers of devices known to be at risk of infection, but warns that the current list is likely incomplete, and that other devices are almost certain to be added:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • TP-Link R600VPN
Dan Gardiner
Dan Gardiner

Dan is a veteran Australian tech journalist with more than 20 years industry experience. He cut his teeth in the world of print media, starting as a product reviewer and tester and eventually working his way up to become editor of the two top-selling tech mags Down Under (TechLife (opens in new tab) and APC (opens in new tab)) and has been managing TechRadar's APAC presence since 2016. He's passionate about most things tech, but is particularly opinionated when it comes to PC hardware, phones, ereaders, video games and online streaming. When he's not staring at screens, Dan loves to spend time cooking – particularly spicy Thai food. (If it's not hot enough to bring tears to your eyes, he's not interested.)