Previous malware oubreaks in the Ukraine have spread worldwide, including the June 2017 “NotPetya” attack that UK and US officials said was the most destructive cyber-incident to date.
The malware in question, which Cisco called VPNFilter, has infected at least half a million routers and storage devices in dozens of countries.
Cisco’s Talos computer security unit said it believes the malware is used by the Russian government, because it shares code with malware previously used in cyber-attacks the US government has attributed to Moscow.
The malware is capable of monitoring internet traffic, to obtain sensitive details such as login credentials, as well as initiating destructive attacks on industrial networks.
Some versions of VPNFilter “possess a self-destruct capability that overwrites a critical portion of the device’s firmware and reboots the device, rendering it unusable”, Cisco said in an advisory. “We assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls.”
The malware is aimed at collecting intelligence, creating a platform from which to launch attacks and making it difficult for those attacks to be reliably attributed, Cisco said.
Its desctructive capability “shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware”, Cisco wrote.
“If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.”
The Ukraine’s SBU state security service said a rapid increase in VPNFilter infections in that country might indicate an attempt to destabilise the Champions League footbal final due to be held in Kiev on Saturday.
Cisco said an attack could be planned ahead of Ukraine’s Constitution Day on 28 June.
Russia has previously denied allegations by the Ukraine and the US that it operates a large-scale hacking programme.
Moscow has been linked to attacks on the Ukraine that shuttered factories and took out parts of the energy grid in 2015 and 2016. The US alleges Russia was behind hacks that attempted to manipulate the 2016 US presidential elections.
The Cyber Threat Alliance, of which Cisco is a member along with Check Point Software, Fortinet, Palo Alto Networks, Sophos, Symantec and others, issued an alert of its own on VPNFilter, saying the threat should be taken seriously.
VPNFilter infections are spread across at least 54 countries, but surged in the Ukraine on 8 May and 17 May. Routers from Linksys, MikroTik, Netgear and TP-Link are affected.