The most sensational trending news from the cyberspace is here. Recently, the U.S. and U.K. governments have officially blamed Russia for a large-scale attack on home and office routers. Also, cybersecurity researchers from Cisco Talos have revealed their research into Russia-linked attacks that have hit 500,000 routers, the majority of which were in Ukraine.
To know more, the hackers have installed a malware known as VPNFilter on all those routers from a range of vendors, including Linksys, MikroTik, Netgear and TP-Link, which had publicly-known vulnerabilities. As per reports, these victims has spread across a total of 54 countries, but right now most of the targets have been found based in Ukraine, where devices were being hacked at an “alarming rate”. In fact, VPNFilter also had code similarities with another Russia-linked spy tool, BlackEnergy, which was previously used to attack Ukraine power providers.
Cisco’s researchers have also presented the view that, it might be possible that the infiltrators want to take a large number of users offline using a kind of kill switch. To this, they added that, “The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide”.
Apart from the above possibility, that it would be used in a widespread destructive attack, the malware can also snoop on traffic that passes through the infected router to steal data such as website login details. Going deeper, VPNFilter also monitors software used in critical infrastructure environments. To add more, the attackers have in fact set up their own encrypted communications using the Tor Network.
Martin Lee, the technical lead for security research at Cisco Talos, however wouldn’t attribute the attacks to a specific country. However, would link them to the hacker crew known as APT28, which the U.S. has linked to Russia and blamed for the DNC hack of 2016, leading up to that year’s election.
Lee was particularly concerned about the potential for attacks on critical infrastructure too. In an interview he added that, “What is also worrying is that this malware has a module which targets MODBUS, a protocol used to operate industrial control systems which may be found in power stations or railway track point controls. There are also similarities between this malware and the BlackEnergy attacks that previously affected electricity supply in Ukraine … it is vital that organisations which protect industrial systems such as the water and electricity supply take the necessary steps to protect against attacks such as these.”
Widespread attacks possible:
Cisco added that it has initially issued a warning as it was concerned that an attack on Ukraine was imminent. The company’s researchers in fact saw a sudden uptick in VPNFilter infections in the country.
FBI however don’t believe that the devices are going to be cleaned any time soon. They stated that, “Defending against this threat is extremely difficult due to the nature of the affected devices,” the report continued. “The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.”
Russia, meanwhile, has openly dismissed the claims about its activity online, strongly denying the allegations made by the U.S. and U.K. authorities in April.
An NCSC spokesperson said of the Cisco findings that, “This research is a timely reminder for organisations and home users to get the basics right to help protect their systems against cyber threats. We actively encourage everyone to follow their manufacturer’s advice and ensure they are installing patches and using up-to-date antivirus software.”
Cisco and the FBI recommended anyone who believes they may be infected to reboot their devices as soon as possible.
Steps by FBI:
The FBI added that it had gained access to control mechanisms of the botnet of 500,000 routers. It also pinned the attacks on APT28.
Finally,FBI assistant director Scott Smith, “Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices. By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”