Russians Hack Wi-Fi Routers: What to Do Right Now

It's a pain in the neck, but you should probably factory-reset your home wireless router as soon as possible. You definitely need to do this if you own one of several Netgear, Linksys, TP-Link or MicroTik models.

Credit: Cesezy Idea/ShutterstockCredit: Cesezy Idea/Shutterstock

That's because at least 500,000 routers and other devices worldwide have been infected by sophisticated malware that likely comes from Russian state-sponsored hackers, as Cisco Talos labs disclosed last week. The malware, which Cisco Talos calls "VPNFilter," can steal personal information, redirect web traffic, infect other devices and -- worst of all -- even "brick" infected devices to make them unusable.

The FBI said owners of any small-office/home-office (SOHO) routers should reboot their devices, but that won't fully get rid of the malware. (The FBI seized a web domain crucial to the malware's operations, but that may be only a temporary fix.)

You actually have to reset the router to factory-default settings to make sure the VPNFilter malware is gone. Several specific router models are known to be affected by VPNFilter, but Cisco Talos fears those might just be the tip of the iceberg.

MORE: The One Router Setting Everyone Should Change (But No One Does)

Cisco Talos listed the definitively affected routers as the Linksys E1200, E2500 and WRVS4400N; the Netgear DGN2200, R6400, R7000, R8000, WNR1000 and WNR2000; and the TP-Link TL-R600VPN SafeStream VPN router. MicroTik Cloud Core routers, mainly used by enterprises, may be affected if they run versions 1016, 1036 or 1072 of the MicroTik RouterOS.

Cisco Talos found that two QNAP networked-attached-storage (NAS) drives, the TS-251 and TS-439 Pro, were also affected by VPNFilter.

But Cisco Talos isn't done with its research,

"Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected," Cisco Talos researchers wrote in a blog posting.

"We recommend that users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them," the posting said. "Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat."

All the routers affected by VPNFilter had previously disclosed vulnerabilities, and Cisco Talos assumes that the bad guys got in by exploiting those flaws. However, it's hard to detect the VPNFilter infection, and updated devices may have been infected before patches were applied, so it might be best to start from scratch.

How to Factory-Reset Your Router

Before you reset your router, do a little preparation. Write down the names of and passwords for your wireless networks. That way, you can set up the router again with the same information and all your devices will re-connect easily.

Make sure that you have any router setup disks, instructions or software at hand if you need to refer to them. If you don't, you can get them from the router maker's website. You should also have an Ethernet cable; there's usually one in the retail box with the router.

Finally, make sure that no one else, and no device, in your household is actively using the internet connection, as the reset and setup process can take up to an hour.

MORE: Your Router's Security Stinks: Here's How to Fix It

Next comes the actual reset. There's often a small pinhole button on the underside or back of the router that performs a factory reset if you press it with a pin or the end of a paperclip. If there isn't, check your router maker's website for specific factory-reset instructions.

Press the button, or do what the router maker's website tells you do. Then follow the regular setup instructions. You'll probably have to run a setup program from a PC or Mac while connected to the router via an Ethernet cable.

As indicated above, create the wireless network or networks using the same network names and access passwords as before, so that your Wi-Fi-enabled devices can connect painlessly.

But make sure you change the default administrative password that came with the factory reset. You should also disable remote administrative access if you can.

Then install the latest firmware updates for your router. We've got instructions on how to do this with the major router brands here.

Create a new thread in the Off-Topic / General Discussion forum about this subject
4 comments
Comment from the forums
    Your comment
  • george_osborne
    Didn't hear ASUS or Arris mentioned but apparently the research is not complete.
  • Paul Wagenseil
    Anonymous said:
    Didn't hear ASUS or Arris mentioned but apparently the research is not complete.


    Yep, that's the issue. It would be great if we had to tell only the owners of specific models to worry, but we really don't know how big this is.

    I also wish that a simple reboot would get rid of the malware (as is true with most router malware), but that isn't the case here. A firmware update MIGHT clear out the malware, provided it replaces all the previously existing firmware, but I can't guarantee that that is true for all routers.
  • jimmysmitty
    Anonymous said:
    Anonymous said:
    Didn't hear ASUS or Arris mentioned but apparently the research is not complete.


    Yep, that's the issue. It would be great if we had to tell only the owners of specific models to worry, but we really don't know how big this is.

    I also wish that a simple reboot would get rid of the malware (as is true with most router malware), but that isn't the case here. A firmware update MIGHT clear out the malware, provided it replaces all the previously existing firmware, but I can't guarantee that that is true for all routers.


    I guess the question is then does it affect WRT? Asus uses a customized WRT firmware and you can even download and use a customized version of that.

    Not sure with Arris and what they use.