The FBI has issued a security warning that all home and small office routers should be rebooted after discovering sophisticated Russian-linked “VPNFilter” malware infecting at least 500,000 networking devices.

The malware is capable of blocking web traffic, collecting information that passes through home and office routers, and disabling the devices entirely, the bureau announced.

According to the Justice Department, the Sofacy Group, also known as APT28, or FancyBear, is responsible for the attack. The group, believed to be directed by Russia’s military intelligence agency, is the group that hacked the Democratic National Committee ahead of the 2016 presidential election.

 Photo by  Misha Feshchak

The FBI’s security notice suggests that all router owners reboot their devices. Cisco’s Talon group, who discovered the malware, says that “Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.”

The FBI has several recommendations for any owner of a small office or home office router. The simplest way to temporarily disrupt the malware is reboot the device. Rebooting your router eliminates the destructive part of the malware that Cisco calls the “Stage 2” and “Stage 3” elements of VPNFilter.

To reboot your router, unplug it from the wall, wait 30 seconds, and plug it back in.

Users are also advised to upgrade the device’s firmware and change your network password to one that is strong, unique, and not one you use for any other websites or services. If any remote-management settings are in place, the FBI suggests disabling them.

While the FBI recommends that all routers be rebooted, Symantec released the following list of routers and NAS devices known to be susceptible to VPNFilter. Some are popular affordable models, and one (the Netgear WNR1000) is provided to Comcast customers.

  • Linksys E1200

  • Linksys E2500

  • Linksys WRVS4400N

  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072

  • Netgear DGN2200

  • Netgear R6400

  • Netgear R7000

  • Netgear R8000

  • Netgear WNR1000

  • Netgear WNR2000

  • QNAP TS251

  • QNAP TS439 Pro

  • Other QNAP NAS devices running QTS software

  • TP-Link R600VPN

While a reboot is a solid temporary fix, the FBI reports that the only way to completely eradicate the malware is to perform a full factory reset of your router and update it to the latest firmware version available. 

Unfortunately, VPNFilter’s “Stage 1” element can persist even through a reboot and then contact the hackers to reinstall the other stages of the malware. It’s a complicated procedure that requires you to reconfigure your network settings, but highly recommended if your router is on the list of devices known to be vulnerable to VPNFilter.

Linksys, MikroTik, Netgear, QNAP and TP-Link have all posted instructions explaining how to factory reset your routers and other ways to protect against VPNFilter.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.