Skip to content

S1010 VPNFilter

VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer (‘ps’) can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. 2 1

Item Value
ID S1010
Associated Names
Version 1.0
Created 26 March 2019
Last Modified 12 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
ics T0830 Adversary-in-the-Middle The VPNFilter‘s ssler module configures the device’s iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. 2 1
ics T0842 Network Sniffing The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. 2 1