Advanced analytics running at Jigsaw Security have developed a clear and concise link between Russia and the activity previously reported by US and Ukraine officials.
Utilizing our Big Data Analytic Platform, Jigsaw Security was able to show with historical activity that the vulnerability associated with VPNFilter that has targeted Linksys, MikroTik, NETGEAR and TP-Link networking hardware has been active longer than previously thought.
It has been reported that over 500,000 devices have been infected with VPNFilter. Upon looking at our historical data we have been seeing this activity back in July of 2016 but not much activity before that date. One of the findings observed is that this vulnerability was being used to spy on networks and has very similar capabilities to BlackEnergy which was being abused far longer then VPNFilter.
Previously Reported Activity being Slowed
Previously, Jigsaw Security reported that we believed Russia was building a large network of nodes to be used in farther attacks. What is interesting is that many of these systems observed to be vulnerable showed signs that information was being recovered to include user passwords, browser histories and cookies and other sensitive data that was believed to have been recorded and stored by Russia.
With the FBI taking down the toknowall[.]com domain, we believe that there are additional domains associated with this attack and have sinkholed those domains in our platform. In order to prevent this type of attack we had to look at the traffic generated to the toknowall domain and then look for similar patterns elsewhere to determine the infrastructure of the attackers.
The malware has also been observed talking using TOR on our newly released dark web sensors. New detection methods have been added to Event 28901 which will find infected devices regardless of what C2 the callback occurs on.
Making the Connection
Using historical data is always a good way to figure out how long a particular campaign has been going on since looking back is always easier than looking forward. While the activity level for VPNFilter has remained fairly static, the amount of traffic has been picking up on unknown C2 servers. We noted that as soon as we started publishing some of the IP addresses that we have detected on our blog that Russian based IP's would login and read our articles very soon after they were posted. We will be updating all information in event 28901 and will stop posting information to the blog concerning this event. The connection was made because customers started observing outbound scanning activity that was not normal for their networks and our FirstWatch sensors would pick this up as anomalous activity.
We have observed this activity reaching back to several IP addresses which we have previously observed in confirmed Russian activity.