The FBI says it is taking steps to stop the spread of the VPNFilter malware and botnet, warning that it's a national security issue.

The bureau's offensive includes seizing a domain believed to have been used as part of the command and control structure for VPNFilter's 500,000-strong network of infected routers and storage devices.

The FBI also made some interesting revelations about the botnet, including confirming that it was being run by the Russian "Sofacy" or "Fancy Bear" group that has previously carried out international hacking campaigns against the US and other countries on behalf of the Russian government.

Just hours before the FBI announced it had seized the command and control domain, researchers with Cisco's Talos security team publicly announced the discovery of the worm they had described as a "concerning" attack that had already spread to more than half a million devices in 54 countries around the world.

The government echoed that concern in its announcement, acknowledging that VPNFilter is already considered to be a national security concern for the US.

"The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that,” said assistant US Attorney General for national security John Demers.

"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

The FBI also revealed that removing the malware may be more difficult than previously believed. While officials are still advising users and admins to reset their home and small office (SOHO) routers, the Feds say doing so will only remove the second portion of the malware, while the first layer of the infection will stay intact.

Removing that second layer will, however, force the device to try and reconnect to the command and control servers. The hope, says the FBI, is that by trying to reconnect the devices will give away the location of those servers, allowing for further takedowns and potentially letting them cripple the botnet entirely. ®