Incident: VPNFilter Malware Targets Home and Small Business Routers.

Published Date: 2018-05-23

Postmortem Analysis
Timeline 1. The software failure incident involving the VPNFilter malware affecting routers from various manufacturers happened in May 2018 as reported in Article 71443. 2. The expanded report on the VPNFilter malware targeting more makes and models of devices was published in June 2018 as reported in Article 72396.
System 1. Home routers including those sold by Netgear, TP-Link, Linksys, MicroTik, and QNAP network storage devices [71443]. 2. Various makes and models of routers including Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE [72396].
Responsible Organization 1. A group of sophisticated hackers responsible for the VPNFilter malware incident [71443] 2. Russian hackers targeting routers with the VPNFilter malware [72396]
Impacted Organization 1. Home and small business routers, including those sold by Netgear, TP-Link, Linksys, MicroTik, and QNAP network storage devices were impacted by the VPNFilter malware [71443]. 2. Additional makes and models of devices were targeted by the VPNFilter malware, including routers from Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE [72396].
Software Causes 1. The software cause of the failure incident was the VPNFilter malware that infected at least half a million home and small business routers, including those sold by various manufacturers like Netgear, TP-Link, Linksys, MicroTik, and QNAP [71443]. 2. The VPNFilter malware targeted more makes and models of devices than initially thought, including routers from Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE, and had additional capabilities such as the ability to deliver exploits to endpoints [72396].
Non-software Causes 1. Lack of firmware updates for home routers, making them vulnerable to remote attacks [71443, 72396] 2. Vulnerabilities in home routers that allow remote hackers to take control [71443]
Impacts 1. The VPNFilter malware infected at least half a million home and small business routers, including those sold by various manufacturers like Netgear, TP-Link, Linksys, MicroTik, and QNAP, creating a network of hijacked routers that could be used for espionage, spying, and potentially destructive activities [71443]. 2. The malware was capable of siphoning off data passing through the infected network devices, monitoring credentials entered into websites, and watching communications over the ModBUS SCADA protocol used for controlling automated equipment and IoT devices [71443]. 3. The majority of the 500,000 victim routers were in Ukraine, indicating a potential targeted attack on Ukrainian networks, with similarities to previous cyberattacks in Ukraine attributed to Russian hacker groups [71443]. 4. The impacts of the VPNFilter malware led to an expanded list of affected router models, requiring users to upgrade firmware and perform factory resets to safeguard against the malware [72396].
Preventions 1. Regularly updating firmware: Updating the firmware of the affected routers could have prevented the VPNFilter malware incident [71443, 72396]. 2. Implementing strong security measures: Enforcing strong security measures such as changing default passwords, disabling remote management settings, and following best practices for router security could have helped prevent the malware attack [71443, 72396]. 3. Conducting regular security audits: Performing regular security audits and vulnerability assessments on network devices could have identified and mitigated potential risks before they were exploited by hackers [71443]. 4. Educating users: Educating users on the importance of router security, firmware updates, and safe internet practices could have increased awareness and helped prevent the spread of malware [72396].
Fixes 1. Upgrading the firmware and factory-resetting the affected routers [Article 72396]
References 1. Talos security division 2. Cisco 3. Cyber Threat Alliance 4. Ukrainian government 5. SBU (Security Service of Ukraine) 6. UK and US governments 7. Netgear 8. TP-Link 9. Linksys 10. MicroTik 11. QNAP 12. Asus 13. D-Link 14. Huawei 15. Ubiquiti 16. Upvel 17. ZTE 18. FBI 19. White House 20. Russian hacker group Sandworm 21. Champions League soccer tournament 22. WIRED 23. Security firm Cisco Talos [71443, 72396]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: The VPNFilter malware incident has similarities to previous cyberattacks targeting Ukraine, such as the NotPetya attack. Talos found that one element of VPNFilter's code overlaps with BlackEnergy, which was used in previous hacker intrusions in Ukraine in 2014. These attacks culminated in the first-ever confirmed blackouts caused by hackers in Ukraine in December 2015 [71443]. (b) The software failure incident having happened again at multiple_organization: The VPNFilter malware incident has expanded to target more makes and models of devices beyond what was initially thought. The list of affected routers now includes models from Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE. Users of these routers are advised to upgrade the firmware and perform a factory reset to mitigate the impact of the malware [72396].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the incident of the VPNFilter malware affecting routers. The malware was able to infect at least half a million home and small business routers, including those from various manufacturers like Netgear, TP-Link, Linksys, MicroTik, and QNAP [71443]. The incident highlighted vulnerabilities in home routers that allowed remote hackers to take control of them, emphasizing the importance of software updates and patches to address such design flaws. (b) The software failure incident related to the operation phase is evident in the need for users to take action to mitigate the impact of the VPNFilter malware. Users were advised to upgrade the firmware of their routers and perform a factory reset to remove any trace of the malware [72396]. This operational response was necessary to safeguard the routers from further attacks and ensure the security of the network.
Boundary (Internal/External) within_system (a) within_system: The software failure incident described in the articles is primarily within the system. The VPNFilter malware targeted routers from various manufacturers, infecting them and creating a network of hijacked routers that could be used for malicious activities. The malware was capable of siphoning off data passing through the infected devices, monitoring credentials entered into websites, and even watching communications over specific protocols. Additionally, the malware had a destructive feature that could corrupt the firmware of the routers, essentially rendering them useless [71443, 72396]. (b) outside_system: The software failure incident does not seem to be primarily due to contributing factors originating from outside the system. The focus of the incident is on the malware infecting routers and the actions taken to address and mitigate the impact of the malware within the affected systems [71443, 72396].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The software failure incident described in the articles is related to the VPNFilter malware that targeted routers from various manufacturers. This malware infected at least half a million home and small business routers, creating a network of hijacked routers that could be used for espionage activities, data monitoring, and potentially destructive purposes like corrupting firmware [71443, 72396]. The malware was designed to serve as a multipurpose spy tool and could siphon off data passing through the infected network devices. It also had a destructive feature that could immediately corrupt the firmware of the hacked routers, essentially rendering them useless [71443]. (b) The software failure incident occurring due to human actions: The software failure incident due to human actions in this case involves the response and mitigation steps taken after the discovery of the VPNFilter malware. Security researchers recommended upgrading the firmware and performing a factory reset on the affected routers to remove the malware and safeguard against future attacks [72396]. These steps required user intervention and compliance to ensure the routers were secure from the malicious activities of the malware.
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The VPNFilter malware incident targeting routers is a software failure incident that has hardware implications. The malware infects routers, which are hardware devices, causing them to malfunction and potentially be bricked by corrupting their firmware [71443, 72396]. (b) The software failure incident occurring due to software: - The VPNFilter malware incident is primarily a software failure incident as it involves the spread of malware that infects routers and causes software-related issues such as data siphoning, spying, and potential destruction of firmware [71443, 72396].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the articles is malicious in nature. The incident involves the VPNFilter malware, which has infected at least half a million home and small business routers, including models from various manufacturers like Netgear, TP-Link, Linksys, MicroTik, and QNAP [71443]. The malware is designed to serve as a multipurpose spy tool, creating a network of hijacked routers that can be used for espionage activities, including monitoring data passing through the network devices, spying on credentials entered into websites, and watching communications over specific protocols used for controlling automated equipment and IoT devices [71443]. Additionally, the malware has a destructive feature that allows the hackers behind it to corrupt the firmware of the infected routers, essentially rendering them useless [71443]. Furthermore, the incident is linked to previous cyberattacks targeting Ukraine, with a significant number of the infected routers located in Ukraine. The malware's firmware-corrupting capability and the increase in Ukrainian infections suggest that the hackers behind the malware could be preparing for a mass disruption that might affect hundreds of thousands of Ukrainian networks simultaneously [71443]. The incident is seen as part of a larger cyberwar scenario involving aggressive Russian hackers targeting Ukraine [71443]. In summary, the software failure incident involving the VPNFilter malware is malicious in nature, with the objective of espionage, data theft, and potentially disrupting networks, particularly in Ukraine. (b) There is no information in the articles to suggest that the software failure incident was non-malicious.
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident: - The software failure incident described in the articles is not related to poor decisions or intentional actions. Instead, it is a case of a sophisticated malware attack targeting routers and network devices [71443, 72396]. The malware, known as VPNFilter, is designed to infect routers and create a network of hijacked routers that can be used for various malicious activities, including espionage, credential theft, and potential disruption of networks [71443]. The malware targets a wide range of router models from different manufacturers, indicating a deliberate and organized effort by the attackers to compromise these devices [72396]. The primary intent behind the incident is espionage, data theft, and potentially network disruption, rather than being caused by poor or accidental decisions.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident occurring due to development incompetence: - The software failure incident described in the articles is related to the VPNFilter malware that infected at least half a million home and small business routers [71443]. - The malware was able to infect routers from various manufacturers, including Netgear, TP-Link, Linksys, MicroTik, and QNAP network storage devices [71443]. - The malware was sophisticated and designed to serve as a multipurpose spy tool, creating a network of hijacked routers that could be used for malicious activities [71443]. - The incident highlights the vulnerabilities in home routers that are prone to attacks due to lack of software updates and inherent security weaknesses [71443]. - The malware was capable of siphoning off data passing through the infected network devices and monitoring credentials entered into websites [71443]. (b) The software failure incident occurring accidentally: - The software failure incident described in the articles is related to the VPNFilter malware that targeted routers from various manufacturers, expanding the list of affected devices beyond the initial report [72396]. - Users were advised to upgrade the firmware and perform a factory reset on their routers to mitigate the impact of the malware [72396]. - The incident required users to take proactive steps to secure their routers, indicating that the malware infection was not intentional but a result of vulnerabilities in the affected devices [72396]. - The malware's ability to deliver exploits to endpoints and target a wide range of router models suggests that the incident was not a deliberate attack but a widespread issue affecting multiple devices [72396].
Duration temporary (a) The software failure incident described in the articles is temporary. The incident involves the VPNFilter malware infecting routers from various manufacturers, leading to the need for users to upgrade firmware and factory-reset their routers to mitigate the threat [72396]. The incident is characterized by the need for immediate action to address the vulnerability and prevent further exploitation by the malware.
Behaviour crash (a) crash: The software failure incident described in the articles can be categorized as a crash. The VPNFilter malware has a destructive feature that allows the hackers behind it to immediately corrupt the firmware of the entire collection of hacked routers, essentially bricking them [71443]. Additionally, the incident involves the need for affected routers to be factory-reset, indicating a failure that leads to the system losing state and not performing its intended functions [72396].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) death: There is no mention of people losing their lives due to the software failure incident in the provided articles [71443, 72396]. (b) harm: There is no mention of people being physically harmed due to the software failure incident in the provided articles [71443, 72396]. (c) basic: There is no mention of people's access to food or shelter being impacted because of the software failure incident in the provided articles [71443, 72396]. (d) property: People's material goods, money, or data were impacted due to the software failure incident as the VPNFilter malware infected at least half a million home and small business routers, potentially leading to the destruction of firmware and bricking of the routers [71443, 72396]. (e) delay: People did not have to postpone an activity due to the software failure incident as per the information provided in the articles [71443, 72396]. (f) non-human: Non-human entities were impacted due to the software failure incident, specifically the routers and network storage devices that were infected by the VPNFilter malware [71443, 72396]. (g) no_consequence: There were observed consequences of the software failure incident, particularly related to the potential destruction of firmware in the infected routers [71443, 72396]. (h) theoretical_consequence: There were potential consequences discussed in the articles, such as the malware being used to create an expansive infrastructure for various malicious activities, including espionage and distributed denial-of-service attacks [71443, 72396]. (i) other: The articles do not mention any other specific consequences of the software failure incident beyond those related to the impact on property, non-human entities, observed consequences, and theoretical consequences discussed [71443, 72396].
Domain information, finance, government (a) The software failure incident reported in the articles is related to the industry of information. The incident involves malware-infected routers that could be used as a powerful tool to spread havoc across the internet, monitor credentials entered into websites, and watch for communications over specific protocols [71443, 72396]. (h) The failed system was also intended to support the finance industry. The malware-infected routers could potentially be used for espionage activities, distributed denial-of-service attacks, and to create an infrastructure that can serve multiple operational needs of the threat actor [71443, 72396]. (l) Additionally, the incident is related to the government industry. The majority of the affected routers were in Ukraine, and there were concerns that the hackers behind the malware could be preparing a mass disruption that might take down hundreds of thousands of Ukrainian networks simultaneously. This aligns with the ongoing cyberwar and previous cyberattacks targeting Ukraine, with potential links to Russian hackers [71443].

Sources

Back to List