Home routers have become the rats to hackers' bubonic plague: an easily infected, untreated, and ubiquitous population in which dangerous digital attacks can spread. Now security researchers are warning that one group of sophisticated hackers has amassed a collection of malware-infected routers that could be used as a powerful tool to spread havoc across the internet, or simply triggered to implode networks across the globe.

On Wednesday, Cisco's Talos security division warned of a new breed of malware it calls VPNFilter, which it says has infected at least half a million home and small business routers, including those sold by Netgear, TP-Link, Linksys, MicroTik, and QNAP network storage devices. Talos believes that the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities. Perhaps most disturbingly, they note the tool also has a destructive feature that would allow the hackers behind it to immediately corrupt the firmware of the entire collection of hacked routers, essentially bricking them.

"This actor has half a million nodes spread out over the world and each one can be used to control completely different networks if they want," says Craig Williams, who leads Talos' security research team. "It's basically an espionage machine that can be retooled for anything they want."

'It's basically an espionage machine that can be retooled for anything they want.' Craig Williams, lead for Talos' security research team

Exactly how VPNFilter infects its targets isn't yet clear. But home routers are notoriously prone to vulnerabilities that can allow remote hackers to take them over, and rarely receive software updates. "This is a set of devices that's getting targeted more and more over the years," says Michael Daniel, the head of the Cyber Threat Alliance, a security industry group that's working with Cisco's Talos to alert the industry to the VPNFilter threat and hasten its removal. "They sit outside firewalls, they don’t have native antivirus, they're hard to patch."

Talos writes in a detailed blog post that the VPNFilter malware is capable of siphoning off any data that passes through the network devices it infects, and appears specifically designed to monitor credentials entered into websites. Another, largely unexplained spying feature of the tool seems to watch for communications over the ModBUS SCADA protocol that's used for controlling automated equipment and internet-of-things devices.

But Talos' Williams also points out that the mass of hacked routers can also function as a collection of proxies for other activities the hackers might engage in—from penetrating other targets to distributed denial-of-service attacks designed to knock websites offline. Hence the VPN in its name. "We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor," Talos' blog post reads.

Separately from the espionage threat it represents, however, Talos hints at yet another possible mission behind VPNFilter. The majority of its 500,000 victim routers are in Ukraine, a portion that has been growing quickly since May 17, when Talos saw a spike in Ukrainian infections controlled by a separate command-and-control server. Combined with the malware's firmware-corrupting capability, that suggests the hackers behind the router malware could be preparing a mass disruption that might take down hundreds of thousands of Ukrainian networks simultaneously. "When you combine the factors at play here, the destructive nature of the malware, and the targeting of Ukraine, this gives you pretty high confidence someone is trying to do bad things in Ukraine again," Williams says.

Ukraine, after all, has become a frequent canary in the coal mine for global cyberattacks, particularly the ongoing cyberwar carried out by its brazen and aggressive Russian neighbors. Talos notes that the increase in Ukrainian infections precedes the anniversary on June 27th of the NotPetya attack—a data-destroying worm that was released in Ukraine and spread to the rest of the world, becoming the most costly malware outbreak in history, and one that the White House has vocally blamed on the Russian military.