Network technology company Cisco Systems said Wednesday that a half a million routers had been compromised in preparation for what could be a major cyberattack against Ukraine, raising the specter of large-scale disruption timed to the upcoming Champions League soccer final there.
Ukraine's Cyberpolice said in a statement that it was possible the hackers planned to strike during "large-scale events," an apparent reference either to the match between Real Madrid and Liverpool in the capital, Kiev, on Saturday or to the country's upcoming Constitution Day celebrations.
What precisely was in the works remains unclear —Cisco said it published its findings early — but researchers said that at least 500,000 devices had been hijacked by malicious software they dubbed VPNFilter.
"The damage possible with that many infected machines is hard to precisely quantify," said Craig Williams, the director of outreach for Talos, Cisco's digital threat intelligence unit. "Suffice to say it could be a significant threat to users around the world."
Ukraine has been locked in a years-long struggle with Russia-backed separatists in the country's east and has repeatedly been hit by cyberattacks of escalating severity. Last year witnessed the eruption of the NotPetya worm, which crippled critical systems, including hospitals , across the country and dealt hundreds of millions of dollars in collateral damage around the globe. Ukraine, the United States and Britain have blamed the attack on Moscow — a charge the Kremlin has denied.
Suspicion will almost certainly fall on the Kremlin for the latest hack, especially after Talos flagged overlaps between VPNFilter and BlackEnergy — a destructive form of malware which has also been linked to Russian actors.
But Williams said in an email that complete attribution was extremely difficult to determine, "especially in situations like this where false flags can be intentionally planted."
Still, he said, "we have a high degree of confidence that the actor behind this is acting against the Ukraine's best interest."
Frank Bajak reported from Boston.
Talos' blog post: https://blog.talosintelligence.com/2018/05/VPNFilter.html