Cisco warns 500,000 routers have been hacked in suspected Russian plan to attack Ukraine

Security researchers from Cisco’s cyber intelligence unit Talos have warned that Russian hackers have infected over 500,000 routers with a sophisticated malware and have plans to launch a cyber attack on Ukraine.

According to the researchers, Russian hackers have used a sophisticated malware called “VPNFilter” to infect over 500,000 routers and network devices in at least 54 countries. The malware can be used for spying, “intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”

The company’s cyber intelligence unit said it has “high confidence” the Russian government is behind the software “VPN Filter,” as the latest hack shares some of the code used in previous Russian cyberattacks.

“The code of this malware overlaps with versions of the BlackEnergy malware—which was responsible for multiple large-scale attacks that targeted devices in Ukraine,” the unit said in a blog post. “While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.”

Over the last several months, researchers have been investigating into VPNFilter, which included both law enforcement and private-sector intelligence partners. “We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves,” researchers wrote in a Wednesday post.

The malware can stop internet access for all devices connected to the affected router. It can be used to launch attacks, remotely monitor web activity, and download other malware. It also has destructive capabilities that allows an attacker to either infect a device or render it unusable. Besides these, the malware also contains an auto-destruct feature that hackers can remotely activate to delete the malware.

“[This] can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” the report stated.



With the help of the malware, hackers can monitor industrial networks and control systems, steal their login credentials, and seize control of industrial processes.

“We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” Cisco researcher William Largent wrote. “Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.”

“Sniffers included with VPNFilter collect login credentials and possibly supervisory control and data acquisition traffic. The malware also makes it possible for the attackers to obfuscate themselves by using the devices as nondescript points for connecting to final targets. The researchers also said they uncovered evidence that at least some of the malware includes a command to permanently disable the device, a capability that would allow the attackers to disable Internet access for hundreds of thousands of people worldwide or in a focused region, depending on a particular objective.

“In< most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” Cisco’s report stated. “We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.”

Routers that have been affected by the malware are from Linksys, MikroTik, Netgear, and TP-Link that are mostly used in home offices. Cisco Talos warns that it is not going to be easy to prevent future infections.

“Defending against this threat is extremely difficult due to the nature of the affected devices,” it said. “The majority of them are connected directly to the Internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.”

Users are recommended to factory reset their routers and update their devices.