LONDON — Network technology company Cisco Systems said Wednesday that a half a million routers had been compromised in preparation for what could be a major cyberattack against Ukraine, raising the specter of large-scale disruption timed to the upcoming Champions League soccer final there.
The announcement leaves federal cybersecurity officials in the United States scrambling.
Ukraine’s Cyberpolice said in a statement that it was possible the hackers planned to strike during “large-scale events,” an apparent reference either to the match between Real Madrid and Liverpool in the capital, Kiev, on Saturday or to the country’s upcoming Constitution Day celebrations.
What precisely was in the works remains unclear —Cisco said it published its findings early — but researchers said that at least 500,000 devices had been hijacked by malicious software they dubbed VPNFilter.
“The damage possible with that many infected machines is hard to precisely quantify,” said Craig Williams, the director of outreach for Talos, Cisco’s digital threat intelligence unit. “Suffice to say it could be a significant threat to users around the world.”
Ukraine has been locked in a years-long struggle with Russia-backed separatists in the country’s east and has repeatedly been hit by cyberattacks of escalating severity. Last year witnessed the eruption of the NotPetya worm, which crippled critical systems, including hospitals , across the country and dealt hundreds of millions of dollars in collateral damage around the globe. Ukraine, the United States and Britain have blamed the attack on Moscow — a charge the Kremlin has denied.
“The news out today from Cisco about a massive breach of routers and storage devices – including notable infections in Ukraine – shows that hackers are becoming increasingly sophisticated and are targeting global critical infrastructure and government systems,” George Kamis, chief technology officer for government markets for Forcepoint, said in an email to Fifth Domain. “Many of our nation’s mission-critical systems face a significant risk exposure as the threat landscape has changed and expanded, and this attack serves as one more reminder of the fragility of the systems at the core of our global and economic security.
”The need for a strong identity tie-in and multi-factor authentication for access is the baseline. As agencies evolve their security strategies, it becomes even more important to understand the behavior of the adversary in the operational portion of the network.”
Suspicion will almost certainly fall on the Kremlin for the latest hack, especially after Talos flagged overlaps between VPNFilter and BlackEnergy — a destructive form of malware which has also been linked to Russian actors.
But Williams said in an email that complete attribution was extremely difficult to determine, “especially in situations like this where false flags can be intentionally planted.”
Still, he said, “we have a high degree of confidence that the actor behind this is acting against the Ukraine’s best interest.”
Frank Bajak reported from Boston.