Security researchers from Cisco said today that they've detected a giant botnet of hacked routers that appears to be preparing for a cyber-attack on Ukraine.
Researchers say the botnet has been created by infecting home routers with a new malware strain named VPNFilter.
This malware strain is incredibly complex when compared to other IoT malware, and comes with support for boot persistence (the second IoT/router malware to do so), scanning for SCADA components, and a firmware wiper/destructive function to incapacitate affected devices.
Cisco says it found code overlap with BlackEnergy, a malware strain that has been used to cripple Ukraine's power grid in the winter of 2015 and 2016.
The US Department of Homeland Security has fingered Russian cyber-spies as the creators of the BlackEnergy malware and the perpetrators of the 2015 and 2016 Ukraine power grid attacks.
Several countries have also accused Russia of launching the NotPetya ransomware attack, which was also initially aimed at Ukraine. While no officials accusations have been made, many also believe Russia launched the Bad Rabbit ransomware, also mainly aimed at Ukrainian companies.
Russia is also the main culprit for the cyber-attack that hit the opening ceremony of the 2018 Winter Olympic Games in South Korea with the "Olympic Destroyer" malware after the International Olympic Committee has banned the country from the event.
Now, security experts believe Russia may be preparing another attack on Ukraine, but this time using a botnet of infected routers.
Cisco says it spotted the VPNFilter malware on over 500,000 routers manufactured by Linksys, MikroTik, NETGEAR, and TP-Link, but also from QNAP NAS devices. Cisco says no zero-days were used to create this botnet, but just older public vulnerabilities. Symantec says it spotted VPNFilter malware on the following devices:
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
Signs of this botnet's existence go back as far as 2016, but researchers say botnet started an intense scanning activity in recent months, growing to a huge size.
Infected devices were found across 54 countries, but Cisco says the botnet's creators have been focusing on infecting routers and IoT devices located in Ukraine in the past weeks, even creating a dedicated command-and-control server to manage these Ukrainian bots.
It is unclear what their intentions are, but Cisco fears a new attack may be coming pretty soon, as the botnet is ramping up its operations.
The most likely targets for a cyber-attack are Saturday, May 26, the date of the UEFA Champions League soccer final, set to take place this year in Ukraine's capital, Kiev. Another plausible date is Ukraine's Constitution Day, June 27, the date of last year's NotPetya cyber-attack.
Cisco experts aren't sounding the alarm on this malware strain for nothing. The VPNFilter malware is one of the most complex IoT/router malware strains and capable of some pretty destructive behavior.
For starters, the malware operates at three stages. The Stage One bot is the most lightweight and simple, as its only role is to infect the device and obtain boot persistence. Until a few weeks ago, no IoT malware strain had been capable of surviving device reboots, with the Hide and Seek botnet becoming the first earlier this month. But according to a Symantec report, users can remove the Stage One malware by performing a so-called "hard reset," also known as a reset to factory settings.
The Stage Two VPNFilter malware module does not survive device reboots but relies on the Stage One module to re-download it when the user reboots (and inadvertantly cleans) his device.
This Stage Two module's main role is to support a plugin architecture for the State Three plugins. Cisco says that until now it has spotted Stage Three plugins that can:
Cisco suspects VPNFilter operators have created other modules that they have not deployed until this point.
But despite not having boot persistence, the Stage Two module is also the most dangerous, as it contains a self-destruct function that overwrites a critical portion of the device's firmware, and reboots the device. This renders any device unusable, as the code needed to start the device has been replaced with jumbled data.
"This action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have," Cisco researchers said today in a report about VPNFilter. "We are deeply concerned about this capability."
Currently, there are various ways attackers could use VPNFilter:
Cisco says it's currently working with private and public sector entities to identify devices infected with VPNFilter and cripple the botnet before it launches any attacks. The Ukrainian Secret Service has issued a security alert on the topic earlier today.
In April, experts from Kaspersky Lab have noted that several nation-state cyber-espionage groups have started incorporating hacked routers into their attack infrastructure. Cisco has also published a piece on the rising trend of using wipers in malware operations.