Cisco Systems warned yesterday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with highly sophisticated malicious software. This is thought by Cisco to be in preparation for another massive cyber attack on Ukraine in a bid to disrupt the Champions League final in Kiev, capital of Ukraine.
The malware, which has been called VPNFilter by Cisco, could be used for espionage as well as to destroy the devices that it has infected.
Commenting on the report, Steve Giguere, lead EMEA engineer at Synopsys says: “There is every bit of evidence to suggest that the VPNFilter is targeted at the Ukraine. Elements of its character tie back to the same nation-state sponsored threat actor APT28 (Fancy Bear), that were connected to the disruptive malware NotPetya which ‘coincided’ with the Ukraine’s Constitution Day last year.
“With this weekend’s final, being a potentially larger international spectacle, this could be the 2018 version. As for whether it’s an attempt to de-stabilise the country, it comes as a bit of a 2-for-1 deal as its ability to ‘brick’ it’s host device could be an element that is deployed shortly after its primary task is either completed or at risk of failure.
It’s primary task is however, unknown. As it appears to be monitoring industrial Modbus SCADA protocols, perhaps the timing of the Champions League final is a distraction. Researchers are already making progress at shutting down the malware’s command and control centres, but, with such a widespread deployment it will be a race against time to see if it can be neutralised prior to initiating.”
Nation state surveillance or sabotage
This is borne out by Ashley Stephenson, CEO at Corero Network Security who adds, “Once again, a significant community of vulnerable devices is being pursued by hackers. We cannot know the hackers’ true motivation at this point or even if they are part of a single group but some of the reported capabilities of the observed exploits suggest more of a nation state surveillance or sabotage mission rather than commercially motivated data theft or DDoS.
“This report also highlights the increasing security industry attention being paid to botnet formation through observations of vulnerability scanning, honeypot exploit attempts, and C&C communication intercepts.” Stephenson adds, “We often know about potential threats earlier in their lifecycle, before the actual attacks are launched. Ironically, the cybersecurity community is relatively powerless to intervene before these weaponised IoTs are activated so we must continue to prepare our cyber defences and response strategies for future attacks.”