Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1010: VPNFilter

VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. [1] [2] VPNFilter was assessed to be replaced by Sandworm Team with Cyclops Blink starting in 2019.[3]

EnterpriseS1010MalwareObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

VPNFilter matters because it targets network devices and Linux-based environments that often sit at the edge of business operations but receive less monitoring than servers and endpoints. MITRE describes it as a multi-stage, modular malware platform capable of intelligence collection and destructive activity, including traffic collection through an infected device and monitoring of Modbus SCADA protocols. For leaders, the key issue is not only malware removal; it is whether routers, firewalls, gateways, and industrial network paths are governed, logged, recoverable, and included in incident response scope.

Executive priority

Treat this as a resilience and visibility question for network infrastructure. VPNFilter’s described capabilities connect credential theft, network monitoring, ICS/SCADA exposure, and disk-content wiping risk. Executives should ask whether network devices are inventoried, patched, backed up, monitored, and included in recovery exercises, and whether industrial or operational technology traffic such as Modbus is exposed to devices that lack strong telemetry. The relationship to Sandworm Team and the note that Cyclops Blink replaced VPNFilter should inform threat intelligence prioritization, but should not be interpreted as evidence of current compromise in any specific environment.

Technical view

SOC and IR teams should validate coverage around Network Devices and Linux platforms, especially devices that route or inspect traffic. Because ATT&CK provides no official detection text for this object, detection engineering should be based on the documented behavior and relationships: packet sniffing, adversary-in-the-middle potential in ICS contexts, traffic collection including website credentials, Modbus monitoring, and destructive disk content wiping. Teams should confirm whether network infrastructure logs, configuration state, firmware integrity, packet capture metadata, and ICS protocol monitoring are actually available during investigations.

Likely telemetry

  • Network device inventory, model, firmware, and configuration state
  • Authentication and administrative access logs for network devices
  • Network flow records for edge, routing, and segmentation points
  • Packet capture or metadata from network monitoring sensors where legally and operationally appropriate
  • ICS/OT protocol monitoring, especially Modbus visibility where present

Detection direction

  • Do not rely only on endpoint EDR; network devices may have limited host telemetry and may require configuration, firmware, flow, and network sensor evidence.
  • Baseline normal administrative access, device communications, and protocol behavior so unusual routing, sniffing, or interception activity can be reviewed.
  • Where Modbus or other ICS traffic exists, validate whether monitoring can distinguish expected operations from unexpected collection, interception, or modification patterns.
  • Tune detections with awareness that legitimate troubleshooting can involve packet capture or traffic inspection; require context such as unauthorized initiation, unusual persistence, unexpected destinations, or device role mismatch.
  • Map detections to the related behaviors supplied by ATT&CK: Network Sniffing, Adversary-in-the-Middle, and Disk Content Wipe.

Mitigation priorities

  • Maintain a complete inventory of network devices and Linux-based infrastructure, including ownership, firmware, exposure, and business criticality.
  • Prioritize secure administration: restricted management access, strong authentication, least privilege, and logging for configuration changes.
  • Keep network device firmware and software maintained according to vendor guidance and vulnerability management priorities.
  • Segment business, management, and ICS/OT networks so compromise of a routing or edge device has limited visibility into sensitive traffic.
  • Protect credentials that may traverse network paths; reduce cleartext protocols and monitor for exposure where feasible.
Analyst notes and limits

The supplied ATT&CK object identifies VPNFilter as a modular malware platform for intelligence collection and destructive operations, with relationships to Sandworm Team and techniques covering ICS adversary-in-the-middle, ICS network sniffing, and enterprise disk content wipe. The most useful defensive takeaway is to test whether the organization can see, secure, and recover the network infrastructure that malware like this would rely on.

MITRE did not provide an official detection section, tactics are not specified on the malware object, and no environment-specific indicators or active exploitation evidence are supplied here. Local device inventory, network architecture, OT protocol use, and logging capability are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

VPNFilter

VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. [1] [2] VPNFilter was assessed to be replaced by Sandworm Team with Cyclops Blink starting in 2019.[3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1561.001 Disk Content Wipe Sub-technique

VPNFilter has the capability to wipe a portion of an infected device's firmware.CitationVPNFilter Router
Associated objects

Groups, software, and campaigns

Group Enterprise

G0034: Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

Relationship explorer

All related ATT&CK context

uses · Group G0034: Sandworm Team Enterprise uses · Technique T1561.001: Disk Content Wipe Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
583f036b0b9bcc47...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 583f036b0b9b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    William Largent June 2018

    William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28

    Open source URL
  2. [2]
    Carl Hurd March 2019

    Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28

    Open source URL
  3. [3]
    NCSC CISA Cyclops Blink Advisory February 2022

    NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.

    Open source URL
  4. [4]
    mitre-attack S1010
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use