Subscribe to Email Updates

VPNFilter Malware Targets Critical Infrastructure in Ukraine

VPNFilter Malware Targets Critical Infrastructure in Ukraine

Early in July, Ukraine’s SBU security service claimed it stopped an attack on network equipment belonging to the LLC Aulksa chlorine plant in central Ukraine. The attack appears to have been intended to disrupt plant operations. Specifically, the alleged plan was to block the function of the overflow station, which provides liquid chlorine that is used to clean water from water supply and sewerage systems throughout Ukraine.

The VPNFilter malware was first detected in May and infected more than 500,000 routers and network-attached storage (NAS) devices. Researchers at Cisco Systems' Talos threat intelligence unit blamed Russian actors for infecting hundreds of thousands of routers and NAS devices with the malware, which can spy on network traffic, exfiltrate data and potentially brick systems, cutting victims off from the internet. The surreptitious campaign focused particularly on Ukrainian targets.

Talos reported that VPNFilter also targets a much larger range of devices than previously reported, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear and TP-Link. In May, the FBI warned router users that they should reboot their routers following the Talos report.

Intelligence agencies, as well as Ukraine's SBU, have blamed Russia — more specifically APT 28, also known as Sofacy or Fancy Bear, a unit of Russian military intelligence, GRU — for creating and distributing VPNFilter. The code of some versions of the malware overlaps with versions of the BlackEnergy malware, a cyberespionage program previously linked to attacks on Ukrainian power distribution stations.

"The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols," Cisco Talos warned in May.

In addition to rebooting routers, as recommended by the FBI, it is important to keep all critical infrastructure and network equipment up to date with the latest patches and firmware versions. Many vendors have released updates intended to close the vulnerabilities exploited by VPNFilter. Even though the FBI seized a key command and control server in late May, the botnet remains active. Devices that are infected with the initial stage of the malware have the potential to be further compromised later.

Leave a comment

John Biasi
Written by John Biasi
John Biasi is a senior cybersecurity specialist at Burns & McDonnell. He has directed a broad range of IT and cybersecurity initiatives and participated in the planning, analysis and implementation of solutions in support business objectives.

Related posts

Collaborative Contracting Approach Brings Cost and Schedule Efficiency
Collaborative Contracting Approach Brings Cost and Schedule Efficiency

Advanced Work Packaging (AWP) provides the framework to help simplify and manage large capital projects in the construction...

Potential Risks and Unintended Consequences of the AWP Trend
Potential Risks and Unintended Consequences of the AWP Trend

Advanced Work Packaging (AWP) has been shown to improve communication, safety and efficiency on industrial construction...