FBI wants everyone - including you - to reboot their routers

VPNFilter has been spreading since 2016, but recently upped its attacks. Photo credit: Getty

The FBI wants everyone in the world - including you - to reboot their routers in case they've been hacked by Russian cyber warriors.

An infection known as VPNFilter has been detected in hundreds of thousands of routers in dozens of countries, and is believed to be in many more.  It's being used to launch attacks on infrastructure, and also has the ability to 'brick' your device, rendering it useless.

It was first made public on Wednesday last week by security researchers at Cisco, which makes communications equipment.

"It has destructive capability," said Michael Daniel, president of the Cyber Threat Alliance - a group of communications and web security companies.

"The malware's flexible command structure gives the adversary the ability to use it to 'brick' these devices. That's not a capability usually built into malware like this."

While VPNFilter has been spreading since 2016, Cisco says in the past two weeks it has ramped up the number of attacks - mainly directed at Ukraine.

"This attack basically sets up a hidden network to allow an actor to attack the world from a stance that makes attribution quite difficult," Cisco security researcher Craig Williams told tech site CNet.

The sophistication of the malware has led researchers to conclude it's the product of Russian state agents. But it has a flaw - the malware works in three stages, and rebooting the router knocks out stages two and three, which actually carry out the attacks.

The FBI has already seized the website which was used to deliver stages two and three to infected devices.

"The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices," the law enforcement agency said in a statement.

"Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware."

The US Department of Justice said infected routers would still try to download stages two and three once they're back online, but the actions taken so far against the perpetrators would slow down any further reinfection.

But there is a way to eliminate it entirely - perform a factory reset on your router. This will wipe the malware completely, but also delete all your settings, so make sure you know what you're doing before going for the nuclear option.

The FBI has already seized the website which was used to deliver stages two and three to infected devices. Photo credit: File

Kiwis on tech forum geekzone.co.nz have reported being contacted by their ISPs to warn them their routers have been infected.

So far 14 router models are known to be susceptible to the malware, but the FBI recommends all home and small business routers either be rebooted or reset.

The routers known to be affected are:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN