Russian Hackers Infect 500k Routers with Malware

Hackers, believed to be supported by the Russian government, have infected 500,000 wireless routers worldwide with malware, security experts claim. The attack has been traced back to a group alleged to have interfered with the recent U.S. elections.  

The malware, known as “VPNFilter” can monitor and extract all of the internet traffic passing through the infected routers. On top of this, the routers could be remotely switched off in a mass cyber-attack.

The infections were discovered as part of an ongoing investigation by cybersecurity companies Talos and Symantec. Given the scale and potential implications of the problem, they decided to release their findings early.

The group of hackers responsible for the attack is believed to be the same “Fancy Bear” group responsible for the interference in the 2016 US Presidential Election. FBI agents have seized a domain and a server located in Russia, which were both linked to the attack.

How Did the VPNFilter Malware Attack Happen?

Without getting into too much technical detail (there’s a full-breakdown on the Talso blog if you want that), the malware worked in two stages. It’s still unknown how the infection first takes hold, but older routers with well-known public vulnerabilities are the ones affected – there’s a list of models on the Talso blog.

The first stage was designed to gain a persistent foothold on the router and enable stage two.

Once the foothold had been established in stage one, the second stage collected the files and monitored the traffic passing through the router, removed data and could control the device.

What is of particular concern is that the stage one malware can remain on the router even after a full reboot. This sort of resilience is unprecedented for an internet-of-things malware attack.

After suspect routers had been identified, the stage-one malware would pull down a photo hosted on, which enabled the stage-two malware to be installed. If this failed, the metadata would call out to a website called ToKnowAll[.]com, the domain since seized by the FBI. This could install the stage-two malware as well.

VPN Filter attack

Credit: Talos blog

Who are the Hackers behind the Router Attack?

The specification motivations of the hackers are unclear at present. That the attack is believed to have originated from Russia adds yet more bad news to ongoing US-Russian relations.

The server seized by the FBI is still receiving data from the infected routers. The FBI has stated it can only view the IP addresses of the infected routers, but is using this information to fully investigate the scale of the attack.

Talos, one of the security firms behind the research that uncovered the attack, admits on a company blog that there are still many unknowns around this incident. However, the severity of the threat compelled Talos to publish details:

“Publishing early means that we don’t yet have all the answers — we may not even have all the questions. We will update our findings as we continue our investigation.” – Talos blog.

What to do to stay safe

As always, there are a few key maxims for staying safe and secure online.

How to Guard Against the VPNFilter Malware

Firstly, use a good anti-malware program to protect all of your devices, not just your computer.

Second, be mindful of the sites you visit – if they’re not HTTPS sites (you’ll spot this in the URL next to a small green padlock) steer clear.

However, as the malware affects the router, not just a PC or other device in your network, your ISP has some responsibility towards protecting your data. A good broadband provider will make sure that the routers it provides are secure, with strong network passwords and regular patches to maintain their protections against attacks.

What to Do if Your Router is Infected

If you have already been targeted by the VPNFilter attack, the best thing to do is get a new router. Due to the resilience of the stage one malware mentioned earlier, there’s not a lot you can do to remove it.

Getting a new router is fairly easy – most ISPs should be willing to offer you a new, more secure one, given the circumstances. Alternatively, you could invest in a third-party router.

These can often be more secure and offer faster network speeds that ISP routers – make sure you get one with a built-in modem if you’re not the most tech-confident user.

Can You Trust VPNs?

Although this incident makes the word “VPN’ sound potentially suspect, don’t be put off from using a VPN service.

A good VPN is a perfectly secure and legal way to make your IP address private and provide encrypted access to the internet – we’re big fans of PureVPN in particular.

Ready to choose a VPN? Check our VPN reviews to help you pick a fast, secure VPN service

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Tom Fogden is a writer for with a range of experience in the world of tech publishing. Tom covers everything from cybersecurity, to social media, website builders, and point of sale software when he's not reviewing the latest phones.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals