Initially, all I could observe of the QuantumFilament group’s activities was the scanning for and hacking of Linksys and Asus routers. I wondered if the scanning was due to a worm, a program that spreads automatically without human intervention. The scanning and method of infection reminded me of the SQL Slammer worm of 2003.
But careful observation proves that QuantumFilament cyber operations are not just about scanning and infecting routers, and it is not accidental. There are human hands and human minds behind the activity.
- Purpose. The group of hacked routers are used to do other things. A discussion on these “other things” is saved for a later chapter.
- Long-term operation. The software programs run on the routers have internal version numbers and update mechanisms. The QF cyber operators built technical mechanisms in the code to check for and track different versions of the same program, and to report these version numbers to the command-and-control servers.
- Adapts to setbacks. The QF cyber operators reacted to the takedown of their server by switching to different servers, more than once.
- Redundant communication. The .nttpd loader binary version 14 was programmed to communicate to five different command-and-control servers. The QF group only needed one of the five servers to be accessible in order to fully control their hacked routers.
At minimum, the QF operation has “users” that make use of the anonymity and resources provided by the hacked routers; software developers that write and modify the binary programs run on the routers; and operators to maintain the servers and other hacking infrastructure.