Cisco warns 500,000 routers have been hacked in suspected Russian plan to attack Ukraine
Security researchers from Ciscoโs cyber intelligence unit Talos have warned that Russian hackers have infected over 500,000 routers with a sophisticated malware and have plans to launch a cyber attack on Ukraine.
According to the researchers, Russian hackers have used a sophisticated malware called โVPNFilterโ to infect over 500,000 routers and network devices in at least 54 countries. The malware can be used for spying, “intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”
The companyโsย cyber intelligence unitย said it has โhigh confidenceโ the Russian government is behind the software โVPN Filter,โ as the latest hack shares some of the code used inย previous Russian cyberattacks.
โThe code of this malware overlaps with versions of the BlackEnergy malwareโwhich was responsible for multiple large-scale attacks that targeted devices in Ukraine,โย the unit said in a blog post. โWhile this isnโt definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.โ
Over the last several months, researchers have been investigating into VPNFilter, which included both law enforcement and private-sector intelligence partners. โWe have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves,โ researchers wrote in a Wednesdayย post.
The malware can stop internet access for all devices connected to the affected router. It can be used to launch attacks, remotely monitor web activity, and download other malware. It also has destructive capabilities that allows an attacker to either infect a device or render it unusable.ย Besides these, the malware also contains an auto-destruct feature that hackers can remotely activate to delete the malware.
โ[This] can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,โ the report stated.
With the help of the malware, hackers can monitor industrial networks and control systems, steal their login credentials, and seize control of industrial processes.
โWe assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,โ Cisco researcher William Largent wrote. โSince the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.โ
โSniffers included with VPNFilter collect login credentials and possibly supervisory control and data acquisition traffic. The malware also makes it possible for the attackers to obfuscate themselves by using the devices as nondescript points for connecting to final targets. The researchers also said they uncovered evidence that at least some of the malware includes a command to permanently disable the device, a capability that would allow the attackers to disable Internet access for hundreds of thousands of people worldwide or in a focused region, depending on a particular objective.
โIn< most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,โ Ciscoโs report stated. โWe are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.โ
Routers that have been affected by the malware are from Linksys, MikroTik, Netgear, and TP-Link that are mostly used in home offices. Cisco Talos warns that it is not going to be easy to prevent future infections.
โDefending against this threat is extremely difficult due to the nature of the affected devices,โ it said. โThe majority of them are connected directly to the Internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.โ
Users are recommended to factory reset their routers and update their devices.