Exclusive: FBI Seizes Control of Russian Botnet The FBI operation targets a piece of sophisticated malware linked to the same Russian hacking group that hit the Democratic National Committee in 2016.
Kevin Poulsen 05.23.18 6:25 PM ET
BI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.
The FBI counter-operation goes after “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.
VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.
The FBI has been investigating the botnet since at least August, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware. “She voluntarily relinquished her router to the agents,” wrote FBI agent Michael McKeown, in an affidavit filed in federal court. “In addition, the victim allowed the FBI to utilize a network tap on her home network that allowed the FBI to observe the network traffic leaving the home router.”
That allowed the bureau to identify a key weakness in the malware. If a victim reboots an infected router, the malicious plugins all disappear, and only the core malware code survives. That code is programmed to connect over the Internet to a command-and-control infrastructure set up by the hackers. First it checks for particular images hosted on Photobucket.com that held hidden information in the metadata. If it can’t find those images—which have indeed been removed from Photobucket—it turns to an emergency backup control point at the hard-coded web address ToKnowAll[.]com. “One plug-in lets the hackers eavesdrop on the victim’s Internet traffic; another targets a protocol used in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.”
On Tuesday, FBI agents in Pittsburg asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh for an order directing the domain registration firm Verisign to hand the ToKnowAll[.]com address over to the FBI, in order to “further the investigation, disrupt the ongoing criminal activity involving the establishment and use of the botnet, and assist in the remediation efforts,” according to court records. Lenihan agreed, and on Wednesday the bureau took control of the domain.
The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec, who confirmed to the Daily Beast that the domain was taken over by law enforcement on Wednesday, but didn’t name the FBI. “The payload itself is non-persistent and will not survive if the router is restarted,” Thakur added. “That payload will vanish.” - - - - - Related in Tech Russian Troll Farm Hacked Teen Girls to Attack America https://www.thedailybeast.com/russia-troll-farm-hijacked-american-teen-girls-computers-for-likes
Google Just Made Things a Lot Easier for Censors https://www.thedailybeast.com/google-just-made-things-a-lot-easier-for-censors - - - - - In other words, average consumers have the ability to stop Russia’s latest cyber attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.
“One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,” said Thakur. “Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”
The court order only lets the FBI monitor metadata like the victim’s IP address, not content. As a technical matter, Thakur said there’s no danger of the malware sending the FBI a victim’s browser history or other sensitive data. “The threat capability is purely to ask for additional payloads,” he said. “There is no data that is leaked from these routers to the domain that is now controlled by an agency.”
Who is Stefan A. Halper, the FBI source who assisted the Russia investigation?
"Everything you need to know about Trump’s FBI spy claim" ""The Frothing Right Prefers Oleg Deripaska as an FBI Asset to Christopher Steele""
A year of Trump's attacks on the special counsel probe 0:09 / 2:27
VIDEO - a year of Trump's attacks on the special counsel probe It's been a year since special counsel Robert Mueller was appointed to investigate the Trump campaign's ties to Russia - and since Trump's barbs started. (Video: Jenny Starrs/Photo: Jabin Botsford/The Washington Post)
by Robert Costa, Carol D. Leonnig and Shane Harris May 21 Email the author
Stefan A. Halper, the FBI source who assisted the Russia investigation and is at the center of a standoff between congressional Republicans and the Justice Department, is a well-connected veteran of past GOP administrations who convened senior intelligence officials for seminars at the University of Cambridge in England.
At some point that year, he began working as a secret informant for the FBI as it investigated Russia’s interference in the campaign, according to multiple people familiar with his activities.
Stefan A. Halper taught at the University of Cambridge in England from 2001 to 2015. (bdsklo/iStockphoto)
In recent days, Trump has seized on the reports about Halper’s role in the Russia probe, suggesting in tweets that the FBI improperly spied on his campaign. There is no evidence to suggest Halper was inserted into the Trump campaign, but he did engage in a pattern of seeking out and meeting three Trump advisers.
Halper’s connections to the intelligence world have been present throughout his career and at Cambridge, where he ran an intelligence seminar that brought together past and present intelligence officials.
In 2014, Halper, along with Richard Dearlove, the former head of Britain’s foreign intelligence service, sponsored a session of the seminar that drew Michael Flynn, then director of the Defense Intelligence Agency, who would go on to serve as Trump’s first national security adviser.
VIDEO - 1:20 Trump's attacks on the FBI As the Russia investigation intensifies, President Trump has fluctuated his stance on the FBI's credibility and independence since the start of his presidency. (Joyce Koh/The Washington Post)
Halper taught international affairs and American studies at Cambridge from 2001 until 2015, when he stepped down with the honorary title of emeritus senior fellow of the Centre of International Studies, according to a spokesman for the university.
Since 2012, Halper has had contracts with the Defense Department, working for a Pentagon think tank called the Office of Net Assessment. According to federal records, ONA has paid Halper more than $1 million for research and development in the social sciences and humanities.
The funds did not go solely to Halper, who hired other academics and experts to conduct research and prepare reports, according to U.S. government officials.
“He thinks well. He writes critically. And he knows a lot of people whose insights he can tap for us as well,” one U.S. government official said.
Halper’s first wife was the daughter of the prominent former CIA analyst Ray S. Cline, who worked alongside President John F. Kennedy during the Cuban missile crisis in 1962 and mentored Halper, introducing him to associates in the intelligence and political worlds, according to numerous people familiar with their relationship.
After earning his doctorate from the University of Oxford in 1971, Halper quickly ascended, serving on the White House domestic policy council for President Richard M. Nixon and then in the Office of Management and Budget before being tapped as an assistant to President Gerald Ford’s chief of staff. According to a document from Ford’s presidential library, part of Halper’s job was assessing domestic political candidates, such as Jimmy Carter, for high-ranking staffers in the West Wing.
Halper later worked for Sen. William Roth (R-Del.) before joining the George H.W. Bush campaign in 1980 as national policy development director and then working for the Reagan-Bush campaign as national director of policy coordination. In the Reagan administration, he served as deputy assistant secretary of state for politico-military affairs, according to his biography.
After the 1980 race, Halper was caught up in a scandal concerning alleged political spying.Aides to Reagan, including Halper, were accused of having spied on Carter’s campaign and obtaining private documents that Carter was using to prepare for a debate. Some Reagan White House officials later alleged that Halper had used former CIA agents to run an operation against Carter. Halper called the reports at the time “absolutely false” and has long denied the accusations.
Between 2000 and 2001, Halper contributed more than $85,000 to George W. Bush’s first presidential bid and the Republican National Committee, according to campaign finance records. Most friends describe him as a moderate Republican who is hawkish on China and deeply committed to U.S. institutions, having worked for years inside and around the federal government.
Late in his career, Halper emerged as a vocal critic of President George W. Bush’s interventionist foreign policy. During classes at Cambridge, he often raised questions about Bush’s decisions and embraced a traditional Republican approach to foreign policy that emphasized long-standing Western alliances and limited foreign intervention, as witnessed by a Post reporter who studied under Halper in 2009. A book he co-wrote with Jonathan Clarke, “America Alone: The Neo-Conservatives and the Global Order .. https://www.amazon.com/gp/product/0521838347?ie=UTF8&tag=washpost-20&camp=1789&linkCode=xm2&creativeASIN=0521838347 ,” was critical of the Bush administration’s approach to the Iraq War.
“Stef” — as Halper is called by people who know him — was also widely known at Cambridge as a gregarious gatherer of students and academics at his apartment in the city, along with his wife. He frequently hosted dinners with visiting students and scholars from around the world where — over wine and cheese from the local market — he would share colorful stories about his work for American presidents and the U.S. government and stir debates about the issues of the day.
Devlin Barrett, Tom Hamburger, Ellen Nakashima and Matt Zapotosky contributed to this report.
Market Data 
Markets 
AI
