Security Market Segment LS
Thursday, 24 May 2018 06:37

Ukraine main target of malware that infects network devices


More than half a million routers and other network devices in 54 countries have been infected with malware dubbed VPNFilter by an unknown adversary, with hosts in Ukraine being a particular target, researchers say.

Cisco's Talos Intelligence Group said this was likely to be a state-sponsored attack and that it was making its findings public even though they were incomplete, in order that affected parties could take action to defend themselves. (Update to this story)

The name VPNFilter was chosen because the malware resides within a folder of that name on the infected device. The malware steals credentials from networking equipment and monitors Modus SCADA protocols.

Researcher William Largent wrote that VPNFilter code had some similarities to that in the BlackEnergy malware that was named as a culprit in a number of attacks in Ukraine.

"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilising a command and control infrastructure dedicated to that country," he wrote.

But other researchers have cautioned on attribution based on shared code. Dragos founder and chief executive Robert Lee tweeted: "Please don’t make 'high confidence' assessments on nation-state attribution because of code overlaps in malware."

And well-known security researcher Matthew Hopkins added: "It's a weakness of analysts. A malware author can attribute an attack to another group simply by using the same code or characteristics found in a code belonging to a state actor... security researchers should stick to the technical stuff, and leave the politics to someone else."

Since 8 May, the malware appeared to have been focused on Ukraine, though scans of TCP ports 23, 80. 2000 and 8080, used by MikroTik and QNAP NAS devices, had been noticed taking aim at devices in more than 100 countries.

talos vpnfilter

Known devices affected are Linksys. MikroTik, Netgear and TP-Link equipment used in the small office and home office sectors, and also QNAP network-attached storage devices.

Largent said that a kill switch within the malware would enable the attackers to make a device unusable. This "can be triggered on individual victim machines or en masse, and has the potential of cutting off Internet access for hundreds of thousands of victims worldwide", he said.

The devices targeted were difficult to defend as they were on the edge of networks. "The majority of them are connected directly to the Internet, with no security devices or services between them and the potential attackers," Largent wrote.

"This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.

"Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats."

He said Talos was unsure which particular exploit was used in a specific case, "but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016".

US security firm Symantec listed the following devices as among those being attacked:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Graphic: courtesy Talos Intelligence Group


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments