Subscribe to Email Updates

VPNFilter Malware Targets Critical Infrastructure in Ukraine

VPNFilter Malware Targets Critical Infrastructure in Ukraine

Early in July, Ukraine’s SBU security service claimed it stopped an attack on network equipment belonging to the LLC Aulksa chlorine plant in central Ukraine. The attack appears to have been intended to disrupt plant operations. Specifically, the alleged plan was to block the function of the overflow station, which provides liquid chlorine that is used to clean water from water supply and sewerage systems throughout Ukraine.

The VPNFilter malware was first detected in May and infected more than 500,000 routers and network-attached storage (NAS) devices. Researchers at Cisco Systems' Talos threat intelligence unit blamed Russian actors for infecting hundreds of thousands of routers and NAS devices with the malware, which can spy on network traffic, exfiltrate data and potentially brick systems, cutting victims off from the internet. The surreptitious campaign focused particularly on Ukrainian targets.

Talos reported that VPNFilter also targets a much larger range of devices than previously reported, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear and TP-Link. In May, the FBI warned router users that they should reboot their routers following the Talos report.

Intelligence agencies, as well as Ukraine's SBU, have blamed Russia — more specifically APT 28, also known as Sofacy or Fancy Bear, a unit of Russian military intelligence, GRU — for creating and distributing VPNFilter. The code of some versions of the malware overlaps with versions of the BlackEnergy malware, a cyberespionage program previously linked to attacks on Ukrainian power distribution stations.

"The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols," Cisco Talos warned in May.

In addition to rebooting routers, as recommended by the FBI, it is important to keep all critical infrastructure and network equipment up to date with the latest patches and firmware versions. Many vendors have released updates intended to close the vulnerabilities exploited by VPNFilter. Even though the FBI seized a key command and control server in late May, the botnet remains active. Devices that are infected with the initial stage of the malware have the potential to be further compromised later.

Leave a comment

John Biasi
Written by John Biasi
John Biasi is a senior consultant in critical infrastructure cybersecurity, risk and reliability at 1898 & Co., part of Burns & McDonnell. He has extensive experience directing a broad range of IT security initiatives in planning, analysis and implementation of solutions in support of business objectives, and he has hands-on experience leading all aspects of network design on high-profile projects. John has a bachelor's degree in information technology and a Master of Business Administration in cybersecurity management from Excelsior College.

Related posts

Open Access Networks Provide Platform for Broadband Expansion
Open Access Networks Provide Platform for Broadband Expansion

Open access networks help bridge the gap in connection disparities by bringing in a third-party team to help plan, design and...

Enhancing Rural Electric Infrastructure for an Efficient Smart Grid
Enhancing Rural Electric Infrastructure for an Efficient Smart Grid

Across the United States, cooperatives and municipalities need to provide reliable power to keep communities thriving. For...