TORONTO/KIEV (Reuters) – Hackers have infected at least 500,000 routers and storage devices in dozens of countries, some of the world’s biggest cyber security firms warned on Wednesday, in a campaign that Ukraine said was preparation for a future Russian cyber attack.
The U.S. Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear Inc, TP-Link and QNAP, advising users to install security updates.
Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack ahead of the Champions League soccer final, due to be held in Kiev on Saturday.
“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilising the situation during the Champions League final,” it said in a statement.
Cisco Systems Inc, which has been investigating the threat for several months, has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams. He cited the overlap of hacking code with malware used in previous cyber attacks that the U.S. government have attributed to Moscow.
Cisco, which uncovered the campaign several months ago, alerted authorities in Ukraine and the United States before going public with its findings about the malware it dubbed VPNFilter.
It also shared technical details with rivals who sell security software, hardware and services so they could issue alerts to their customers and protect against the threat.
Cisco described the mechanisms that the malware uses to hide communications with hackers and a module that targets industrial networks like ones that operate electric grids, said Michael Daniel, chief executive officer of Cyber Threat Alliance, a nonprofit group.
“We should be taking this pretty seriously,” said Daniel, whose group’s 17 members include Cisco, Check Point Software Technologies Ltd, Palo Alto Networks Inc and Symantec Corp.
Cyber security firms, governments and corporate security teams closely monitor events in Ukraine, where some of the world’s most costly and destructive cyber attacks have been launched.
They include the first documented cases where hacks have caused power outages and the June 2017 NotPetya cyber attack that quickly spread around the world, causing network outages that lasted weeks at some companies. Victims included Beiersdorf AG, FedEx Corp, Merck & Co Inc, Mondelez International Inc and Reckitt Benckiser Group Plc.
Cisco said it does not know what the hackers have planned. The malware could be used for espionage, to interfere with internet communications or launch a destructive attack like NotPetya, according to Williams.
The Kremlin did not immediately respond to a request for comment. Russia has denied assertions by nations including Ukraine and Western cyber-security firms that it is behind a massive global hacking program that has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.
VPNFilter has infected devices in at least 54 countries, but by far the largest number is in Ukraine, according to Cisco.
Netgear representative Nathan Papadopulos said the company was looking into the matter. He advised customers to make sure their routers are patched with the latest version of its firmware, disable remote management and make sure they have changed default passwords shipped with the device.
A Linksys spokeswoman had no immediate comment. MikroTik, TP-Link and QNAP could not be reached.
(Reporting by Jim Finkle in Toron to and Pavel Polityuk in Live; Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich and Jeffrey Benkoe)