The FBI has seized the domain it believes is linked to the Russian-run VPNFilter botnet that was poised to launch a massive attack, possibly against the Ukraine.
FBI Special Agent Michael McKeown stated in court documents that evidence exists showing the domain toknowall.com was to be used as part of an attack.
“There is probable cause to believe that the subject domain name constitutes personal property that was used or intended to be used to commit or to facilitate the commission of damage to protected computers,”
McKeown said in the affidavit toknowall.com controls malicious software already used to infect devices, routers, in the United States and other countries. He specifically stated the Sofacy group, a known Russian entity that also goes by the names “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit” according to the Department of Justice, was using the VPNFilter botnet malware to conduct the attack.
Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, called the FBI's action helpful, but he believes there are still hundreds of thousands of additional routers vulnerable and that can be rounded up into a botnet army.
“The FBI's takedown of the VPNFilter stage 2 delivery domain name is an important bandaid for the immediate problem, but on its own, this does nothing to resolve the underlying problems. If the operation is successful, device owners can simply reboot their devices to remove the more invasive malware components, but devices still need to be reset to factory defaults and have the latest firmware installed to completely recover devices,” Young said, actions he believes will not be taken by router owners.