Update: The FBI has told a judge it wants to seize the domain name it believes is linked to this attack. See the FBI affidavit for yourself.
Malware that can take internet routers out one at a time, or thousands at the same time.
That's what US-CERT issued an alert about on May 23, 2018. The malware is being called VPNFilter.
"VPNFilter has a destructive capability that can make the affected device unusable. Because the malware can be triggered to affect devices individually or multiple devices at once, VPNFilter has the potential to cut off internet access for hundreds of thousands of users."
In addition to making routers unusable, US-CERT says the malware can also collect network traffic.
Devices known to be affected by VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link networking equipment, as well as QNAP network-attached storage (NAS) devices, according to US-CERT.
Cisco Talos has been working with the U.S. government to track VPNFilter, which it describes as a sophisticated modular malware.
"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries," say Cisco Talos researchers.
"We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor. Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor."
Researchers say most likely this is a nation-state or nation-state linked actor, that delivers the attack in stages.
For now, here is what we know for sure:
"Our analysis has shown that this is a global, broadly deployed threat that is actively seeking to increase its footprint."
That kind of news makes this is a good time to check out the Cisco Talos blog for technical details and mitigation steps.