VPNFilter botnet targets network routers in Ukraine

Half a million routers infected with VPNFilter malware: Ukraine is the main target

The United States government reported about VPNFilter malware found in 500,000 routers in 54 countries.^[1] However, the main target was Ukraine. The U.S. Justice Department suspect that behind this cyber attack stands Russian hacking group APT28 that is known for several massive attacks in Europe.^[2]

Researchers tell that the attack might be organized or affiliated by Russian authorities. It is assumed that attackers are planning to strike during Champions League soccer final which is held in Kiev this Saturday. Another version suggests that attackers might be preparing to disrupt Ukraine’s Constitution Day celebration.^[3]

However, Kremlin hasn’t commented on the issue yet. Meanwhile, security specialists are actively monitoring Ukraine’s cyber space in order to avoid another country-level disaster. Users are also suggested to reset and update their network users to make sure that attackers are not spying on their online activities.

VPNFilter malware can be used for destructive cyber attacks

Security experts warn that VPNFilter malware is very destructive. The fact that malware affects routers makes it clear that it can leave victims without the Internet connection. However, losing access to the World Wide Web is nothing compared to other capabilities.

VPNFilter can make affected machines unusable. It can be done either on one machine or a group of devices at once. The attack scenario might differ because attackers can control malware via Tor network and execute whatever commands they want. Additionally, it can steal website credentials or monitor network communication via Modbus SCADA protocols. This activity might lead to terrible privacy-related issues.

“The destructive capability <…> shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes.”[Source: Cisco Talos]

Malware targeted Linksys, MikroTik, NETGEAR and TP-Link routers. Home and small network users are suggested to take precautions. Specialists recommend performing a factory reset and install all available security updates for the router.

Previous cyber attacks on Ukraine

The conflict in cyberspace between Russia and Ukraine is going on for a couple of years since Russia annexed Crimea in 2014. Nevertheless, Kremlin does not take responsibility for state-controlled cyber attacks; security specialists all over the world are pretty sure that it’s a part of Russia’s actions against Ukraine.

One of the first biggest cyber attacks were held in 2016 when malware hit Ukraine’s power grid and power distribution centers. Not only hundreds of thousands of people were left in the dark, but also backup power supplies in the distribution centers were disabled too.^[4]

However, last year, the country suffered by three massive ransomware attacks that disrupted country’s daily life. WannaCry,^[5] Petya/NotPetya, and Bad Rabbit ransomware viruses attacked governments, organizations, banks, hospitals, infrastructure and various companies all over Europe, but Ukraine suffered the most.