Since 2016, a highly advanced and organized hacking organization – likely run by a hostile state – has been infecting internet routers around the world with a powerful piece of malware that researchers call VPNFilter. The malware was being researched and followed in secrecy, but recent events have prompted researchers at Cisco’s Talos research division to publish their incomplete findings prematurely. What is VPNFilter, who’s spreading it, what does it do – and what has the researchers at Talos so worried?

What is VPNFilter and what does it do?

VPNFilter is a highly advanced, multi-functional piece of malware that has infected over 500,000 routers and network-compatible storage devices around the world. In their report, the researchers repeatedly emphasize that the malware is highly advanced and will survive regular reboots – something that usually wipes out most router-based malware. The malware has nothing to do with VPNs. Its name – VPNFilter – is based on one of the directories the malware creates to hide itself. It also helps describe a few of the many functions this malware can perform. It can be used much like a VPN to mask the state actor’s attacks, and it can also read any communications heading through the router. When I need to use a bullet list to describe what a piece of malware does, you know it’s bad:

It can delete your router’s firmware code to turn it into a useless brick and disconnect you from the internet for an extended period of time;

It can use your router as a platform to infect other devices or launch organized DDoS attacks against other servers;

It can monitor your online communications and steal website login credentials;

It can perform elaborate commands and send them over the Tor network to further anonymize the hostile actor’s identity;

It can deploy additional, more advanced plugins sent by the owner of the malware if it determines that it has infected a high-priority target;

It can monitor communications that are part of your Internet-of-things network.

Don’t forget that the researchers’ work is not yet complete, so neither is this list. There are other functions to this highly developed piece of malware that they can only guess at, but they know they’re there. The malware is capable of working with new plugins that the hostile owner can send to the victim after the initial infection is complete.

A tool of state cyber-warfare?

Due to the highly advanced and modular nature of the malware, as well as the effort that has been taken to anonymize its owners, the researchers at Talos believe that the malware was created by a hostile state. Due to recent developments, many reporters suspect that this hostile state may be Russia. The recent development that prompted the researchers to publish their incomplete findings was a rapid, steep increase in the number of infected devices in Ukraine. The malware in Ukraine was spread along a specialized network dedicated entirely to that country, and after the military seizure of the Crimean peninsula by Russia in 2014, Russia remains the most likely suspect state to target Ukraine. In addition, the FBI just seized a server being used by the malware’s operators. The evidence uncovered suggests that it is being run by the same group of Russian hackers – the Sofacy Group – who were allegedly responsible for the 2016 hacking of the Democratic National Convention’s servers.

Am I infected? How can I protect myself?

Unfortunately, since the researchers at Talos haven’t yet completed their work, the rest of us can only speculate at what else this malware can do and how we can protect ourselves. Here’s what we do know:

“The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.” (A more complete list of known devices can be found in the report, but they also add that more devices are likely to be affected).

If you suspect that your device has already been infected, a reboot won’t do the trick. The researchers suggest resetting your device to its factory settings to remove the malware. Review your device’s instruction manual or consult with your ISP before doing so, because losing access to your router’s settings may leave you without internet access or may open new vulnerabilities when you reboot it.

The report hints that ISPs and device manufacturers will be working rapidly to address the threat this malware poses to their users. Therefore, they suggest ensuring that your device is updated and that you download any updates that might be released.

AmanVPN cannot help you remove the malware from your router, but the VPN’s encrypted tunnel should not be readable by the malware. Using AmanVPN with Threat Protection switched on may also help protect you from becoming infected, but the researchers have not yet clarified exactly how devices become infected, so we can’t be certain.