Researchers uncover sophisticated botnet aimed at possible attack inside Ukraine

A massive, reportedly Russian-linked hacking operation looms over Ukraine, people familiar with the matter who spoke with CyberScoop.

A massive hacking operation that’s co-opted more than 500,000 routers into a botnet looms over Ukraine, according to cybersecurity researchers and people familiar with the matter who spoke with CyberScoop.

Over the last several days, a combination of at least three groups — Cisco’s cybersecurity unit Talos, the nonprofit information sharing group Cyber Threat Alliance (CTA) and U.S. law enforcement — have all been quietly notifying companies about what appears to be the early stages of a potentially expansive cyberattack against Ukraine.

The scheme carries indicators that suggests a Russian government-linked hacking group may be involved, but so far that connection is only tentative. The public notifications are ahead of a massive international soccer match, which will be hosted in Kiev, on May 26 and an important domestic holiday in Ukraine on June 28.

Last year, there was a delayed reaction inside Ukraine to the NotPetya attack due to it being launched a day before a Ukrainian holiday.


More than 500,000 routers and other internet gateway devices in at least 54 countries were compromised in recent months as part of this large and complex botnet, according to Talos researchers.

In recent weeks, beginning on May 8, there’s been a noticeable spike in systems specifically located in Ukraine being targeted and successfully breached through this same botnet. The latest revelation — in combination with the underlying malware’s unique and devastating capabilities — has alarmed researchers, who originally began warning router makers and regional governments of the activity months ago.

Dubbed “VPNFilter,” the sophisticated modular malware framework allows for an attacker to scan the internet for vulnerable systems and quickly infect devices that are both extremely popular and difficult to patch. Affected networking gear comes from big brands like Linksys, MikroTik, NETGEAR and TP-Link.

Researchers say that the VPNFilter-enabled botnet is capable of doing significant harm, including permanently disabling the hacked devices through a method known as “bricking,” which could cause thousands of companies to immediately lose internet connection and therefore likely lose business.

In addition to bricking a breached device, VPNFilter can also be used to steal website administrator credentials and for monitoring SCADA protocols. SCADA, an abbreviation of Supervisory Control and Data Acquisition, relates to data about industrial control equipment that’s used in power plants, nuclear facilities and manufacturing factories. Bricking a device means making it disfunctional through a malicious reboot. With VPNFilter it bricks the system permanently by deleting critical computer code.


“The type of devices targeted by this actor are difficult to defend,” a Cisco blog post reads. “They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.”

Neil Jenkins, a former Homeland Security official and the current chief analytics officer for CTA, said that his organization has been notifying all their partners about the VPNFilter issue. CTA members mostly include cybersecurity companies, not networking gear makers.

Jenkins said there’s a broad and focused effort right now quietly taking place between law enforcement and industry to built a distributable mitigation of some sort, which could help alleviate some risk to businesses that rely on vulnerable systems. Several major cybersecurity vendors are already working with the router makers in this emergency-driven partnership. 

VPNFilter, according to Talos researchers and other experts, carries unique code that’s loosely tied to an infamous Russian malware variant labelled “BlackEnergy.” BlackEnergy was used in a hacking operation that knocked multiple Ukrainian energy companies offline two years ago.

The coding overlap and targeting profile, designed to impact Ukraine, has some insiders believing that Russia is the main culprit behind VPNFilter. The group behind BlackEnergy is known as “Sandworm” to the security research community. Sandworm is widely associated with a Russian intelligence agency named the GRU (Main Intelligence Directorate).


While Sandworm is sometimes connected to another Russian hacking team that’s most famous for penetrating email servers belonging to the Democratic National Committee (DNC) in 2016, named APT28 or “Fancy Bear,” some analysts contend that the two teams are different in scope and mission. Both Fancy Bear and Sandworm are, however, similarly linked as having some tie to the GRU; further blurring the line for attribution and analysis.

What makes VPNFilter so advanced, among other reasons, is the fact that it can maintain persistence even after a device is restarted. Simply put, that capability is rarely seen in relation to malware that affects so-called “internet of things” devices — like routers, DVRs, smart home appliances and internet-connected security cameras. In practice, the malware provides the hackers with not only espionage options, but also data destruction; making it especially dangerous.

In a statement to Reuters, Ukraine’s SBU security service blamed Russia for orchestrating a digital attack ahead of the Champions League final taking place this upcoming week.

“Security Service experts believe that the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation, aimed at destabilising the situation during the Champions League final,” the statement reads.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts