Just last month, the U.S. and U.K. governments officially blamed Russia for a large-scale attack on home and office routers. On Wednesday, cybersecurity researchers from Cisco Talos revealed their research into what they believe to be Russian-led attacks that hit 500,000 routers, the majority of which were in Ukraine. The hackers, believed to be the same group that hacked the Democratic National Committee (DNC) in 2016, currently have the power to simultaneously kill the devices and take down the internet for vast numbers of people as a result, the researchers warned.
The hackers have installed a malware known as VPNFilter on all those routers from a range of vendors, including Linksys, MikroTik, Netgear and TP-Link, which had publicly-known vulnerabilities. Victims were spread across a total of 54 countries, but most of the targets were based in Ukraine, where devices were being hacked at an alarming rate, Cisco Talos wrote in its report. VPNFilter also had code similarities with another Russia-linked spy tool, BlackEnergy, which was previously used to attack Ukraine power providers.
The attacks go back to at least 2016 but, as in the DHS and the UKs National Cyber Security Centre (NCSC) warning in April, it appears the attackers are planning something significant further along the line. (The NCSC told Forbes it couldn’t confirm if there was overlap across its research into Russian activity and Cisco’s findings).
It's possible the infiltrators want to take a large number of users’ offline using a kind of kill switch. The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide, Cisco’s researchers wrote.
Outside of the possibility it will be used in a widespread destructive attack, the malware can also snoop on traffic that passes through the infected router to steal data such as website login details. Going deeper, VPNFilter also monitors software used in critical infrastructure environments. And the attackers have set up their own encrypted communications using the Tor Network.
Martin Lee, technical lead for security research at Cisco Talos, wouldn't attribute the attacks to a specific country, but did link them to the hacker crew known as APT28, which the U.S. has linked to Russia and blamed for the DNC hack of 2016, leading up to that year’s election.
Lee was particularly concerned about the potential for attacks on critical infrastructure too. "What is also worrying, is that this malware has a module which targets MODBUS, a protocol used to operate industrial control systems which may be found in power stations or railway track point controls," he told Forbes.
"There are also similarities between this malware and the BlackEnergy attacks which previously affected electricity supply in Ukraine it is vital that organisations which protect industrial systems such as the water and electricity supply take the necessary steps to protect against attacks such as these."
Imminent attack possible
Cisco said it was issuing a warning as it was concerned an attack on Ukraine was imminent. The company's researchers saw a sudden uptick in VPNFilter infections in the country starting May 8. According to Reuters, Ukraine’s SBU state security service believes Russia is planning an attack ahead of the Champions League final in Kiev, taking place this weekend.
They don't believe that the devices are going to be cleaned any time soon. Defending against this threat is extremely difficult due to the nature of the affected devices, the report continued. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.
The news comes at a time of great fear about Russia’s online espionage capabilities. This April, in his first speech as GCHQ director, Jeremy Fleming called out unacceptable online behavior from the Kremlin.
Russia, meanwhile, has openly lambasted claims about its activity online, strongly denying the allegations made by the U.S. and U.K. authorities in April.
An NCSC spokesperson said of the Cisco findings: "This research is a timely reminder for organisations and home users to get the basics right to help protect their systems against cyber threats."
"We actively encourage everyone to follow their manufacturer’s advice and ensure they are installing patches and using up-to-date antivirus software."