Asus Wi-Fi routers attacked by Russian military hackers — what to do now

News
By Paul Wagenseil
published

Feared Sandworm group hitting Westerners at home

A close-up of a generic home Wi-Fi router.
(Image credit: KsanderDN/Shutterstock)

Notorious Russian state-sponsored hackers are attacking Asus home Wi-Fi routers, Japanese antivirus firm Trend Micro said yesterday (March 17).

The Cyclops Blink botnet malware, first spotted last month infecting Firebox small-business network-security appliances made by WatchGuard, now targets more than a dozen Asus home Wi-Fi routers, Trend Micro said. Infected devices have been detected in "the United States, India, Italy, Canada" and even Russia itself.

Even worse, Trend Micro believes that Asus may not be the only router brand affected. 

"We have evidence that other routers are affected too, but ... we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and Asus," researchers Feike Hacquebord, Stephen Hilt and Fernando Merces wrote. "This malware is modular in nature and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors."

Sandworm strikes again

Cyclops Blink, sometimes written CyclopsBlink, is made and controlled by the Sandworm group, which is thought to be run by Russian military intelligence. Sandworm (a Dune reference) first rose to notoriety when the group attacked Ukrainian power plants in 2014. 

The Sandworm group was also likely responsible for the massive "Petya" (or "NotPetya") wave of ransomware-worm attacks in June 2017, which initially targeted Ukraine but quickly spread across the world. There's even a book about Sandworm

But the true predecessor to Cyclops Blink is VPNFilter, a different router-based botnet made by the Sandworm group that targeted Asus, D-Link, Linksys, MikroTik, Netgear, TP-Link and Ubiquiti routers in the summer of 2018. VPNFilter is still infecting routers that haven't been patched with new firmware.

Trend Micro's researchers thinks that the Asus routers aren't actually the Cyclops Blink hackers' ultimate targets. Instead, the routers are likely being prepared to be used as tools in larger attacks, possibly in conjunction with the ongoing Russian-Ukrainian war.

"Our data also shows that although Cyclops Blink is a state-sponsored botnet, its [command-and-control] servers and bots affect WatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident value on economic, political, or military espionage," they wrote. 

"Hence, we believe that it is possible that the Cyclops Blink botnet's main purpose is to build an infrastructure for further attacks on high-value targets."

As with VPNFilter, the Cyclops Blink botnet malware will survive a reboot. The only way to truly immunize your vulnerable ASUS router is to factory-reset it and then update the router's firmware to a safe version.

Make sure you write down the names and passwords for your home wireless networks before you do the factory reset. Afterward, set up the router again with the same network information so that all your devices can re-connect easily.

Here's the list of affected ASUS routers, with vulnerable firmware.

Please note that the last three devices are marked as "end-of-life" (EOL) and will NOT be getting firmware updates to protect against Cyclops Blink. If you have one of those three, it's time to go through our list of best Wi-Fi routers and buy a new one.

  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (EOL)
  • RT-AC66U (EOL) (also affected by VPNFilter)
  • RT-AC56U (EOL)

The ASUS security advisory says that "If you have already installed the latest firmware version, please disregard this notice." However, since Trend Micro found evidence that Cyclops Blink has been quietly infecting devices "since at least June 2019," it wouldn't hurt to factory-reset your router regardless.

Here are ASUS' instructions, with some clarifications from us:

  1. Reset the router to its factory-default settings. Login into the web GUI (http://router.asus.com), go to Administration > Restore/Save/Upload Setting, click "Initialize all the settings and clear all the data logs," then click Restore.
  2. Update your router to the latest firmware. ASUS has firmware-update instructions here.
  3. Change the default administrative password to something long, strong and unique. Don't make it the same password you use to log into the network.
  4. Make sure that the "Remote Management" option in the router's Advanced Settings is turned off. It should be off by default.
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.