Russia has been blamed for malware that, according to Cisco Talos, has compromised at least half-a-million Linksys, MikroTik, Netgear and TP-Link routers and network-attached storage devices. The malware has been linked with attacks on Ukraine.
In an advisory, Talos said it has been working for a number of months with public- and private-sector threat intelligence partners, as well as law enforcement, to research the advanced malware system that it has labelled VPNFilter.
“The code of this malware overlaps with versions of the BlackEnergy malware, which was responsible for multiple large-scale attacks that targeted devices in Ukraine,” said the security research team.
“While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilising a command and control (C2) infrastructure dedicated to that country.”
The code of this malware overlaps with versions of the BlackEnergy malware, which was responsible for multiple large-scale attacks that targeted devices in Ukraine
Both on 8 May and again on 17 May, the Talos researchers saw a sharp spike in VPNFilter infection activity with most of the new victims located in Ukraine.
“By this point, we were aware of the code overlap between BlackEnergy and VPNFilter, that Ukraine’s Constitution Day was approaching in June, and that the timing of previous attacks in Ukraine suggested that an attack could be imminent,” they added.
The malware also has advanced features that target industrial systems, such as the ability to monitor communications over the ModBUS SCADA protocol, a tool developed in 1979 and widely used for controlling automated equipment and internet-of-things devices, but which is also riddled with vulnerabilities.
One of Talos researchers told Reuters that it was confident that the Russian government is behind the campaign. Cisco researcher Craig Williams said this was the case because the hacking software shares code with malware used in previous cyber attacks that the US government has attributed to Moscow.
“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilising the situation during the Champions League final,” Williams said. The final is taking place this weekend in Kiev.
Williams added: “With a network like this you could do anything.”
Other major security companies are also warning that the malware should be taken very seriously. The devices infected with VPNFilter are scattered across at least 54 countries, with routers from some of the biggest names in networking affected.
Save this article