Security Experts:

VPNFilter Malware Hits Critical Infrastructure in Ukraine

The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization.

According to the SBU, the malware was detected on the systems of the Aulska chlorine station in Auly, Dnipropetrovsk. The organization is part of the country’s critical infrastructure as it supplies chlorine to water treatment and sewage plants across Ukraine.

The malware reportedly targeted technological processes and safety systems, but the security agency said it quickly detected and blocked the attempt. The SBU said the attack could have resulted in technological process disruptions or a crash of the affected systems, which could have led to a “disaster.” The agency believes the attackers’ goal was to disrupt operations at the facility.

While the SBU’s statement suggests that this attack was specifically aimed at the chlorine station, it’s also possible that the organization was an opportunistic target. VPNFilter at one point had ensnared at least 500,000 routers and network-attached storage (NAS) devices and Ukraine appears to be its main target.

Even after U.S. authorities disrupted VPNFilter by seizing one of its command and control (C&C) domains, researchers reported that the threat had continued to target devices in Ukraine.

The fact that Ukraine has attributed the VPNFilter attack to Russia is not surprising. Even the United States government has linked the operation to some cyber-espionage groups believed to be sponsored by the Kremlin.

The VPNFilter botnet, whose existence was brought to light in May, targets more than 50 types of routers and NAS devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

This is not the first time an attack that targets Ukraine has been blamed on Russia. Moscow has also been accused of launching the NotPetya attack and campaigns aimed at Ukraine’s power grid.

Related: Group That Caused Power Outage Stops Focusing Exclusively on Ukraine

Related: Ukraine Accuses Russia of Cyber Attack on Kiev Airport

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.