Hackers operating from an advanced nation have managed to infect at least 500,000 routers and other storage devices with a deadly virus. Cisco has warned that it may have to do with Russia preparing a cyberattack on Ukraine. The malware, called VPNFilter, can be used to assemble communications, release assaults on others, or can self-destruct or brick devices, Cisco said.
“We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor. Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways,” Cisco researcher William Largent wrote on the company’s blog.
The malware has hit broadband and Wi-Fi touters from TP-Link, Linksys and Netgear among others, with an attempt to force the population go offline. And while it has been detected in over 54 countries, the malware has been spreading at an “alarming rate” in Ukraine, Cisco’s Talos security group mentioned in a blog post.
Watch: Xiaomi Mi MIX 2s First Look
While Talos hasn’t completed the research, it looks like attackers seek to expand their footprint. For instance, Talos noticed the infection spike in the Ukraine on May 8 and May 17. Ukraine will be hosting the Champions League final in Kiev, and it is possible that large-scale cyberattack on private companies and state-owned sectors could be planned.
VPNFilter shares the same code with another infamous malware, BlackEnergy, the one that targeted Ukraine’s electric grid in late 2015, briefly leaving many households without power. Ukrainian authorities had blamed the Russian government for the attack. The VPNFilter malware is hard to remove, even after reboots. Once infected, it can download other programs to collect data that flows through the router, and it can also permanently brick the router with “kill” command.
“In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have. We are deeply concerned about this capability,” Talos said.
To protect yourself from the threat, Symantec suggests performing a “hard reset” which will restore the router to its factory settings. “With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset,” Symantec said.
It is also recommended to download software patches from the vendor when they are available. Also, it is always a good practice to change the default password, which many users fail to do.