Cybersecurity experts are warning that hackers are ramping up malware attacks against Ukraine, infecting thousands of devices ahead of an upcoming national holiday in the country.

Experts at Cisco’s threat intelligence arm Talos say the dangerous malware, dubbed "VPNFilter," has code that overlaps with BlackEnergy, malware the Department of Homeland Security (DHS) has already attributed to Russia.

The firm says it is releasing their findings on VPNFilter early in the hopes that affected parties can begin taking steps to protect themselves.

ADVERTISEMENT

"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control infrastructure dedicated to that country," Talos wrote in a blog post on Wednesday.

The firm said that while it is seeing a "sharp spike" in VPNFilter activity geared toward Ukrainian hosts, the malware has also infected devices around the globe.

"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries," Talos wrote.

Russian hackers similarly launched a major cyberattack on Ukraine's Constitution Day last year, ravaging computers as part of an effort to disrupt the country's financial system.

The NotPetya malware attack — which caused massive damage in Europe, Asia and the Americas — took place in June 2017, the same month as Ukraine's public holiday.

Russia in recent years has become increasingly aggressive towards Ukraine, particularly its annexation of Crimea in 2014.

Earlier this year, Trump administration joined the British government in attributing the NotPetya attack to Russia. Russia has denied responsibility for the cyberattack.

Talos said the code overlap as well as the quickly approaching national holiday prompted them to release their findings before fully completing their research. The group will continue to update their findings as their research progresses.

"By this point, we were aware of the code overlap between BlackEnergy and VPNFilter, and that Ukraine's Constitution Day was approaching in June — previous attacks in Ukraine have frequently occurred on national holidays," the firm wrote, saying they saw a rise in activity in early May.

The malware, the experts say, could wreak havoc in a number of ways, from theft of website credentials to causing widespread internet disruption.

"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."

The malware targets storage devices and routers like Linksys, NETGEAR and other networking equipment, the firm says.

"The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system in place, and typically do not have an available host-based protection system such as an anti-virus package," the firm says.