According to the Interfax-Ukraine media outlet, the VPNFilter hit the LLC Aulska station in Auly (Dnipropetrovsk region), according to the experts the malware aimed at disrupting operations at the chlorine station.
“Specialists of the cyber security service established minutes after [the incident] that the enterprise’s process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident,” the SBU said on its Facebook page on Wednesday.
VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.
According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:
The main concerns are for a self-destruct mode that could cause severe damages across all infected devices simultaneously, a feature that could potentially result in widespread Internet outage over a targeted geographic region.
Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors.
Another similarity is the geographic distribution of the infections, both BlackEnergy and VPNFilter infected a large number of devices in Ukraine.
According to the experts, many infected devices have been discovered in Ukraine, and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.
The experts discovered the VPNFilter malware had infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.
At the time of first discovery, the US Justice Department seized a domain used as part of the command and control infrastructure, its press release explicitly referred the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,
“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”),” reads the press release published by the DoJ.
“The SBU said its agents together with a telecoms provider and workers of the station managed to prevent a potential man-made disaster, adding Russia special forces were behind cyber attacks with the same virus on the public and private sectors in May 2018.” concluded the Interfax-Ukraine.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.