Cisco’s cyber intelligence unit is warning that at least half a million routers and storage devices in 54 countries have been infected with a sophisticated malware program that it believes the Russian government plants to launch a cyber attack on Ukraine.
The company’s Talos unit said it has “high confidence” the Russian government is behind the software, which is called “VPN Filter,” since the latest hack shares some of the code used in previous Russian cyber attacks.
“The code of this malware overlaps with versions of the BlackEnergy malware—which was responsible for multiple large-scale attacks that targeted devices in Ukraine,” the unit said in a blog post. “While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.”
Beyond the potential threat to the Ukraine and other states, Cisco Talos warns that the malware also includes a self-destruct feature, which can be used to delete not only the malicious code, but other software on infected devices, which could render them inoperable and prevent consumers who own those devices from accessing the Internet.
“In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” the company said. “We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.”
Affected devices could include Linksys, MikroTik, NETGEAR, and TP-Link networking equipment in the small and home office space. And Cisco Talos warns that preventing future infections isn’t going to be easy.
“Defending against this threat is extremely difficult due to the nature of the affected devices,” it said. “The majority of them are connected directly to the Internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.”