Cisco Systems Inc (the United States) warned that hackers have infected at least 500,000 routers and storage devices in at least 54 countries with highly sophisticated malicious software, possibly in preparation for another massive cyber attack on Ukraine, Talos division that analyses cyber threats for Cisco has reported.
Talos said that in particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.
Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter. The hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.
“We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves. In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country,” Talos team said in the report.
Cisco said the malware could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine.
The company said that the warning is about the malware, which includes a module that targets industrial networks like ones that operate the electric grid.
“Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues,” Talos said.
Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide, Talos said.
