Cybersecurity experts are warning that a sophisticated Russia-linked hacking campaign has infected more devices than previously reported.

Experts at Cisco’s threat intelligence arm Talos said their new findings reveal that the dangerous malware, dubbed VPNFilter, has not only compromised more routers in small or home offices, but it also has more capabilities than they had initially found.

ADVERTISEMENT

"We have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints," according to a Wednesday Talos blog post.

The hackers are targeting additional home network vendors like ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE, the cyber firm says.

Talos had reported last month that the botnet — a network of infected devices— had compromised Linksys, MikroTik, Netgear, and TP-Link, estimating that VPNFilter had affected 500,000 devices in 54 countries. The latest report, however, notes that new devices were also discovered on these initially reported routers.

The firm also said it discovered that the malware can "intercept network traffic and inject malicious code into it without the user's knowledge."

"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," the blog reads.

The Talos experts first warned about VPNFilter last month, noting that their research is ongoing but they are releasing their findings early in the hopes that affected parties can begin taking steps to protect themselves.

Talos's first report came just days before the FBI issued a formal warning about VPNFilter, advising owners to reboot these devices in an attempt to disrupt the malicious software.

"The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices," the bureau's cyber division wrote in a public alert.

Officials explicitly linked the botnet to the cyber espionage group known as APT 28, or Sofacy, believed to be connected to the Russian government. VPNFilter has code that overlaps with BlackEnergy, malware the Department of Homeland Security has already attributed to Russia, the firm found.

Talos warned that the botnet is increasingly attacking victims in Ukraine, infecting thousands of devices ahead of an upcoming national holiday in the country.

"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control infrastructure dedicated to that country," Talos wrote in a blog post last month.

The firm warned that VPNFilter could wreak havoc in a number of ways, from stealing website credentials to causing widespread internet disruption.

"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."