Cisco says the Russian government likely initiated a sophisticated malware campaign that infected at least 500,000 routers and other devices in at least 54 countries including the U.S. Security researchers at Talos, Cisco’s threat intelligence team, have “high confidence this threat is directly related to APT28.”
APT28, also called Fancy Bear, is one of the two Russian groups responsible for hacking incidents during the 2016 U.S. presidential campaign.
Although the malware, dubbed VPNFilter, hit dozens of countries, it targeted Ukrainian devices “at an alarming rate,” according to a Talos blog. (See heat map, below).
Devices affected by VPNFilter include Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well at QNAP network-attached storage (NAS) devices.
VPNFilter allows hackers to steal website credentials and data, and it can render infected devices unusable. It targets devices on the perimeter of organizations’ networks that are difficult to defend, have hundreds of known vulnerabilities, and are difficult to patch.
Talos says the malware is particularly dangerous because it could be used to conduct a massive global attack, potentially cutting off internet access for “hundreds of thousands of victims worldwide.”
“We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months,” the blog said.
In April a U.S. agency issued an alert warning American and British organizations that Russian state-sponsored actors are targeting their network infrastructure devices, such as routers. The alert was a joint effort between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC).
Cisco says it cannot confirm if this Russian malware threat is related to the April warning.
“The VPNFilter malware shares code with the malware used in the BlackEnergy attacks,” a spokesperson wrote in an email to SDxCentral.“This threat has been attributed by multiple sources to APT28 (Fancy Bear/aka Sandworm), which is associated with Russian intelligence agencies. We have high confidence this threat is directly related to APT28.”
Talos researchers reported a spike in Ukrainian VPNFilter infections on May 8 and again on May 17. “By this point, we were aware of the code overlap between BlackEnergy and VPNFilter, that Ukraine’s Constitution Day was approaching in June, and that the timing of previous attacks in Ukraine suggested that an attack could be imminent,” the blog said.
The country celebrates Constitution Day on June 28, and large-scale attacks against Ukraine often hit near holidays. For example, the June 2017 NotPetya attack took out computers in Ukraine before spreading globally. And the BlackEnergy malware attack struck two days before Christmas in 2015.
Upon discovering VPNFilter, Cisco notified Cyber Threat Alliance (CTA) members, sharing Talos’ analysis and malware samples. The CTA is a group of 17 top security vendors including Cisco, McAfee, Fortinet, Palo Alto Networks, and Symantec that share threat information daily.
Members companies are already using the new threat information to develop protections and mitigations for their customers, according to a CTA blog post. “CTA played the role it was intended to play in this situation,” said Michael Daniel, CTA president and CEO in an email. “By facilitating sharing, CTA greatly aided network defenders in responding to Cisco’s disclosure and amplified their work. This kind of response was not possible prior to the creation of CTA.”