Security researchers from Cisco said today that they've detected a giant botnet of hacked routers that appears to be preparing for a cyber-attack on Ukraine.

Researchers say the botnet has been created by infecting home routers with a new malware strain named VPNFilter.

This malware strain is incredibly complex when compared to other IoT malware, and comes with support for boot persistence (the second IoT/router malware to do so), scanning for SCADA components, and a firmware wiper/destructive function to incapacitate affected devices.

Russia is most likely preparing a cyber-attack on Ukraine

Cisco says it found code overlap with BlackEnergy, a malware strain that has been used to cripple Ukraine's power grid in the winter of 2015 and 2016.

The US Department of Homeland Security has fingered Russian cyber-spies as the creators of the BlackEnergy malware and the perpetrators of the 2015 and 2016 Ukraine power grid attacks.

Several countries have also accused Russia of launching the NotPetya ransomware attack, which was also initially aimed at Ukraine. While no officials accusations have been made, many also believe Russia launched the Bad Rabbit ransomware, also mainly aimed at Ukrainian companies.

Russia is also the main culprit for the cyber-attack that hit the opening ceremony of the 2018 Winter Olympic Games in South Korea with the "Olympic Destroyer" malware after the International Olympic Committee has banned the country from the event.

Now, security experts believe Russia may be preparing another attack on Ukraine, but this time using a botnet of infected routers.

VPNFilter botnet comprises over 500,000 hacked devices

Cisco says it spotted the VPNFilter malware on over 500,000 routers manufactured by Linksys, MikroTik, NETGEAR, and TP-Link, but also from QNAP NAS devices. Cisco says no zero-days were used to create this botnet, but just older public vulnerabilities. Symantec says it spotted VPNFilter malware on the following devices:

Linksys E1200

Linksys E2500

Linksys WRVS4400N

Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072

Netgear DGN2200

Netgear R6400

Netgear R7000

Netgear R8000

Netgear WNR1000

Netgear WNR2000

QNAP TS251

QNAP TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link R600VPN

Signs of this botnet's existence go back as far as 2016, but researchers say botnet started an intense scanning activity in recent months, growing to a huge size.

Infected devices were found across 54 countries, but Cisco says the botnet's creators have been focusing on infecting routers and IoT devices located in Ukraine in the past weeks, even creating a dedicated command-and-control server to manage these Ukrainian bots.

It is unclear what their intentions are, but Cisco fears a new attack may be coming pretty soon, as the botnet is ramping up its operations.

The most likely targets for a cyber-attack are Saturday, May 26, the date of the UEFA Champions League soccer final, set to take place this year in Ukraine's capital, Kiev. Another plausible date is Ukraine's Constitution Day, June 27, the date of last year's NotPetya cyber-attack.

VPNFilter is a very complex strain of IoT malware

Cisco experts aren't sounding the alarm on this malware strain for nothing. The VPNFilter malware is one of the most complex IoT/router malware strains and capable of some pretty destructive behavior.

For starters, the malware operates at three stages. The Stage One bot is the most lightweight and simple, as its only role is to infect the device and obtain boot persistence. Until a few weeks ago, no IoT malware strain had been capable of surviving device reboots, with the Hide and Seek botnet becoming the first earlier this month. But according to a Symantec report, users can remove the Stage One malware by performing a so-called "hard reset," also known as a reset to factory settings.

The Stage Two VPNFilter malware module does not survive device reboots but relies on the Stage One module to re-download it when the user reboots (and inadvertantly cleans) his device.

This Stage Two module's main role is to support a plugin architecture for the State Three plugins. Cisco says that until now it has spotted Stage Three plugins that can:

✱ Sniff network packets and intercept traffic

✱ Monitor for the presence of Modbus SCADA protocols

✱ Communicate with C&C servers via the Tor network

Cisco suspects VPNFilter operators have created other modules that they have not deployed until this point.

VPNFilter is also a wiper

But despite not having boot persistence, the Stage Two module is also the most dangerous, as it contains a self-destruct function that overwrites a critical portion of the device's firmware, and reboots the device. This renders any device unusable, as the code needed to start the device has been replaced with jumbled data.

"This action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have," Cisco researchers said today in a report about VPNFilter. "We are deeply concerned about this capability."

Currently, there are various ways attackers could use VPNFilter:

✱ They could use it to spy on network traffic and intercept credentials for sensitive networks

✱ They could spy on network traffic heading to SCADA equipment and deploy specialized malware that targets ICS infrastructure

✱ They could use the botnet's hacked devices to hide the source of other malicious attacks

✱ They could cripple routers and render a large part of Ukraine's Internet infrastructure unusable

Cisco says it's currently working with private and public sector entities to identify devices infected with VPNFilter and cripple the botnet before it launches any attacks. The Ukrainian Secret Service has issued a security alert on the topic earlier today.

In April, experts from Kaspersky Lab have noted that several nation-state cyber-espionage groups have started incorporating hacked routers into their attack infrastructure. Cisco has also published a piece on the rising trend of using wipers in malware operations.