Someone Has Infected At Least 500,000 Routers All Over The World And No One Knows Why

But Ukraine’s government says it thinks that Russia will use “VPNFilter” to attack Saturday’s Champions League final.
May 23, 2018, 4:45pm
Image: Shutterstock

Unknown hackers have reportedly infected at least 500,000 routers and other network devices all over the world with sophisticated and potentially destructive malware—and the Ukrainian government believes Russian hackers may use this botnet in an attack ahead of the Champions League soccer final this week in Kiev.

On Wednesday, Cisco’s subsidiary Talos warned of this new malware campaign, dubbing it “VPNFilter” because that’s the name of the folder where the malware creates and installs itself on the infected devices. Talos researchers wrote that VPNFilter’s most dangerous feature is that it can make the devices it lives on completely unusable thanks to a “kill” command.


“If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes,” the Talos report read.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at, or email

VPNFilter can also be used to exfiltrate and monitor data that passes through the routers, use the infected devices as infrastructure to launch other attacks, and it appears to be designed to target critical infrastructure, too. Talos researchers believe the hackers behind the malware may be planning to use the infected devices as a way to hide their tracks in future operations.

“We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” the researchers wrote.

Craig Williams, Talos director, said in an email that “the ultimate goal of this attack is likely to leverage infected devices for a much larger scale attack.”

Read more: How To Protect Your Home Router From Attacks

Ukraine’s Security Service said in a statement that VPNFilter could be used for a large-scale cyberattack on government infrastructure and private companies ahead of Saturday’s Champions League final between Real Madrid and Liverpool. The country’s security service believes the Russian government is behind it and its goal is to destabilize the country during or ahead of the game

The US National Cybersecurity and Communications Integration Center released an advisory on VPNFilter, suggesting users and network administrators should review Talos’ research. The Cyber Threat Alliance, an umbrella organization that promotes the sharing of information about cyberattacks, also warned of the malware. Its chief executive officer Michael Daniel, who was cybersecurity coordinator for President Barack Obama, told Reuters that “We should be taking this pretty seriously.”

VPNFilter was detected in several brands of routers, such as Linksys, MikroTik, NETGEAR and TP-Link. VPNFilter is the latest in a long string of malware to targeting routers. Earlier this year, Kaspersky Lab revealed a government hacking campaign that hacked routers in the Middle East, and in 2016, a criminal hacker allegedly infected hundreds of thousands of routers.

Talos reported that they observed VPNFilter in at least 54 countries, with a recent spike of infections in Ukraine. The researchers admitted that their analysis of VPNFilter is still incomplete, but published it anyway to warn customers and other cybersecurity companies of the threat. Talos noted that VPNFilter contains some code that’s “identical” to code found in the BlackEnergy malware. This is the malware responsible for attacks on Ukraine’s power grid, which the US government attributed to Russian government hackers know as APT 28 and APT29, or Fancy and Cozy Bear.

Get six of our favorite Motherboard stories every day by signing up for our newsletter .