Early in July, Ukraine’s SBU security service claimed it stopped an attack on network equipment belonging to the LLC Aulksa chlorine plant in central Ukraine. The attack appears to have been intended to disrupt plant operations. Specifically, the alleged plan was to block the function of the overflow station, which provides liquid chlorine that is used to clean water from water supply and sewerage systems throughout Ukraine.

The VPNFilter malware was first detected in May and infected more than 500,000 routers and network-attached storage (NAS) devices. Researchers at Cisco Systems' Talos threat intelligence unit blamed Russian actors for infecting hundreds of thousands of routers and NAS devices with the malware, which can spy on network traffic, exfiltrate data and potentially brick systems, cutting victims off from the internet. The surreptitious campaign focused particularly on Ukrainian targets.

Talos reported that VPNFilter also targets a much larger range of devices than previously reported, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear and TP-Link. In May, the FBI warned router users that they should reboot their routers following the Talos report.

Intelligence agencies, as well as Ukraine's SBU, have blamed Russia — more specifically APT 28, also known as Sofacy or Fancy Bear, a unit of Russian military intelligence, GRU — for creating and distributing VPNFilter. The code of some versions of the malware overlaps with versions of the BlackEnergy malware, a cyberespionage program previously linked to attacks on Ukrainian power distribution stations.

"The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols," Cisco Talos warned in May.

In addition to rebooting routers, as recommended by the FBI, it is important to keep all critical infrastructure and network equipment up to date with the latest patches and firmware versions. Many vendors have released updates intended to close the vulnerabilities exploited by VPNFilter. Even though the FBI seized a key command and control server in late May, the botnet remains active. Devices that are infected with the initial stage of the malware have the potential to be further compromised later.

by
John Biasi is a solution architect in the Governance, Risk, Cybersecurity and Compliance Group at Burns & McDonnell. He is also an adjunct professor at the Oklahoma State University Institute of Technology. His primary focus is on protecting critical infrastructure by focusing on risk management in the context of cybersecurity and regulatory compliance. He has extensive experience directing a broad range of IT security initiatives in planning, analysis and implementation of solutions, and he has hands-on experience leading all aspects of network design on high-profile projects. He is an active participant in the NERC Security Integration and Technology Enablement Subcommittee (SITES), Smart Electric Power Alliance (SEPA) and the Utilities Technology Council (UTC), focusing on grid modernization cybersecurity and compliance. John has a bachelor's degree in information technology and a Master of Business Administration in cybersecurity management from Excelsior University.