The Kremlin on Thursday denied an allegation from Ukraine that Russian Federation was planning a cyber attack on Ukrainian state bodies and private companies ahead of the Champions League soccer final in Kiev on Saturday. Stage 1 writes itself into the device's memory so that it survives even the device is rebooted, something that most IoT malware are unable to accomplish. In the past, infected devices have only needed a reboot to remove the malicious code.
Cisco's Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the United States government has attributed to Moscow.
The malware's principal capabilities, the company said, included stealthy intelligence-collecting, monitoring industrial-control software and, if triggered, "bricking" or disabling routers.
The company has also notified the manufacturers of those devices about the threat and shared their research with worldwide law enforcement and the Cyber Threat Alliance.
The stage 3 modules are effectively plugins for the stage 2 malware.
More troubling to researchers, as of Thursday they "observed another substantial increase in newly acquired VPNFilter victims focused in Ukraine".
PBS puts Roma instead of Real Madrid as Champions League finalist
In his first season at Anfield, the Egyptian forward broke the Premier League record for goals in a 38-game season with 32 . Salah's exit gave Real an immediate lift because they had been nervous and edgy up until that point in the game.
The malware can ostensibly be used to collect communications, permanently destroy devices and launch attacks on other devices, the experts warned.
Talos also noted that the infected devices are generally hard to defend, as they are frequently on the perimeter of the network and don't have an intrusion protection system in place or a host-based protection system such as an antivirus software package.
Experts at Cisco's threat intelligence arm Talos say the risky malware, dubbed "VPNFilter", has code that overlaps with BlackEnergy, malware the Department of Homeland Security (DHS) has already attributed to Russian Federation. They did it by seizing a key domain used to perpetuate the attacks.
Talos does not specify where they believe the attack originates from, though the Ukranian Security Service indicates that Russian Federation is the likely culprit. The malware, dubbed VPN Filter according to a Cisco advisory, has managed to infect numerous routers from vendors like Linksys, MikroTik, Netgear, TP-Link, and certain network-attached storage devices from companies like QNAP.
The botnet targets home and office routers, through which it can relay orders from the botnet's controllers and intercept and reroute traffic back to them, virtually undetected by the users of a network.
"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities".
Ukraine's cyberpolice said in a statement that it was possible the hackers planned to strike during "large-scale events", an apparent reference either to the upcoming Champions League game between Real Madrid and Liverpool in the capital, Kyiv, on Saturday or to Ukraine's upcoming Constitution Day celebrations.