RESEARCH TRIANGLE PARK – Tech giant Cisco says that hundreds of thousands of routers have been compromised in preparation for what could be a major cyberattack against Ukraine.

A Cisco graphic describes the latest cyber threat.

According to Reuters. Cisco’s Talos cyber intelligence unit “has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.”

Ukraine’s Cyberpolice says in a statement that it was possible the hackers planned to strike during “large-scale events,” an apparent reference to the country’s upcoming Constitution Day celebrations or the Champions League final in Kiev on Saturday.

Ukraine has been locked in years-long struggle with Russia-backed separatists in the country’s east and has repeatedly been hit by cyberattacks of escalating severity.

Reuters noted that in 2017 the so-called NotPetya worm “crippled critical systems, including hospitals , across the country.”

‘Don’t have all the answers’

“For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system we call ‘VPNFilter,’ Cisco said in a blog post.

“We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.

“In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.

“Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don’t yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.”

Cisco estimates that there are “at least 500,000 [infected devices] in at least 54 countries.”

Affected devices

Known affected devices include:


  • MikroTik
  • TP-Link networking equipment in the small and home office (SOHO) space
  • QNAP network-attached storage (NAS) devices.

“The type of devices targeted by this actor are difficult to defend.,” Cisco added.

“They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package.

“We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.”

Read the full blogpost online

Cisco operates one of its largest corporate campuses in RTP.