Russia hacks 500,000 routers in attempt to attack Ukraine

Cisco's Talos cyberintelligence unit warned that it has a high level of confidence the Russian government has hacked at least 500,000 routers and storage devices in an attempt to cause another enormous cyberattack on Ukraine.

Cisco, which makes switches, routers and a host of other tech equipment, said the campaign, known as VPNFilter, is similar to other attacks the U.S. government has associated with the Russian government, giving them confidence that Moscow is behind this latest attempt.

"In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine," Talos said in a post on its website.


Talos continued: "While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research."

Cisco researcher Craig Williams told Reuters: "With a network like this you could do anything."

"Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries," Talos added in the post. "The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices."

QNAP issued a statement concerning the claim that QNAP NAS is prone to malware infections due to VPNFilter, noting it has been aware of the issue for some time and has already addressed it.

"QNAP has been aware of the presence of VPNFilter since 2017 - and has addressed the issue with updates to the QTS operating system and the QNAP NAS Malware Remover application," QNAP said in the statement. "This solution has been in place since mid-2017. The QNAP Security Response Team continuously investigates all security threats and releases updates as necessary to safeguard QNAP NAS users from the impact of malware and attacks."

Reuters added that the U.S. government would try to wrestle control of the infected routers after a Pennsylvania federal judge gave the FBI permission to seize an internet domain linked to the Russian hacking group known as Sofacy.

“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement obtained by Reuters.

An email to the Russian consulate was not immediately returned.

Follow Chris Ciaccia on Twitter @Chris_Ciaccia