Ukraine had been warned. So it was prepared.
And the result, according to the government’s intelligence branch, the Security Service of Ukraine (SBU), is that it was able to detect and thwart a cyber attack that used the now notorious VPNFilter malware against the Auly Chlorine Distillation Station, which supplies chlorine to 23 provinces of Ukraine, as well as Moldova and Belarus.
In a report on the incident, the SBU flatly blamed Russia: “Intelligence services specialists in the field of cyber security established that, over the course of several minutes, the company’s technological process control systems and the systems for detecting signs of emergencies were being attacked by the VPN Filter computer virus from Russia,” it said.
And if the attack had been successful and taken down the functioning of the station, which provides liquid chlorine used to clean water supply and sewerage enterprises throughout the country, it could have had, as the report put it, “possible catastrophic consequences.”
But in this case, the SBU had several weeks of warning. Ukraine’s cyber police chief, Serhiy Demedyuk, told Reuters late last month that Russian hackers were infecting Ukrainian companies with malicious software to create “back doors” in preparation for a large, coordinated attack. Among the targets, he said, were banks and infrastructure firms.
Russian officials, of course, denied everything.
By now, Ukraine cyber officials must be used to being a target. BlackEnergy, the Trojan blamed on a Russian spy group called Sandworm, famously caused a six-hour shutdown of electricity for about 230,000 people in a section of Ukraine in December 2015.
And the NotPetya virus took down a number of government agencies and businesses in June 2017, before spreading to corporate networks around the world.
Amid the good news from Ukraine, however, are a couple of still-ominous realities about VPNFilter and other pernicious and tenacious types of malware.
First is that it is still a threat, even though it seemed it had been mostly neutralized months ago.
It generated major headlines in May when researchers at Cisco Talos, calling it “a sophisticated modular malware system,” said VPNFilter had already compromised about 500,000 home and small business routers in 54 countries.
The malware has multiple capabilities: It can eavesdrop on the victim’s internet traffic to steal credentials; it can target a protocol used in industrial control systems (ICS), such as the Ukrainian chlorine station; and it can “brick” the routers, rendering them useless.
But around the same time came word that the FBI had obtained a court order directing the registration firm Verisign to turn over to the agency the address of a server called ToKnowAll.com that was key to the operation of the router botnet.
A weakness in VPNFilter is that if a victim reboots an infected router, the core malware code survives, but the malicious plugins disappear.
When the router is rebooted, if the code couldn’t connect to a standard command-and-control site, it would then try to connect with ToKnowAll. And when the FBI took control of that domain, that was expected to neutralize the threat to anyone who rebooted.
In early June, a few weeks after its initial announcement in May, Cisco Talos published an update saying VPNFilter could “target more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints.”
The vulnerable routers it listed at the time included Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel, and ZTE.
And now, little more than a month later, came an attack that could have taken down a part of Ukraine’s critical infrastructure had it not been anticipated, detected, and destroyed.
Clearly, organizations should be aware that VPNFilter remains a threat.
The other reality is that while VPNFilter tends to infect so-called consumer-grade routers, which are notoriously insecure and usually used in homes, there are obviously ways for malware to take advantage of them to get access to something presumably much more secure, like critical infrastructure.
The SBU wasn’t giving details about how VPNFilter was able to attack the control systems of the Auly station, but it’s possible that some employees, using consumer-grade routers at home, had remote access to the facility.
Which should prompt operators of critical infrastructure in any country to eliminate remote access—especially if workers are relying on consumer-grade routers.
Short of getting rid of those routers entirely (which some experts have recommended), users should at least implement basic security hygiene: Make sure the latest antivirus software is running on endpoints, install updates and security patches as soon as they are available, and use two-factor authentication on every account that supports it.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.