Cisco Systems Inc on Wednesday warned that hackers have infected at least 500,000 routers and storage devices in dozens of countries with highly sophisticated malicious software, possibly in preparation for another massive cyber attack on Ukraine.
Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.
Cisco said the malware could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.
“With a network like this you could do anything,” Cisco researcher Craig Williams told Reuters.
The Russian government has vehemently denied assertions by Ukraine, the United States, other nations and western cyber-security firms that the Kremlin is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.
The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the CyberThreat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.
Members include Cisco, Check Point Software Technologies Ltd , Fortinet Inc Palo Alto Networks Inc, Sophos Group Plc and Symantec Corp.
“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.
Cisco shared technical details on VPNFilter with the group on Monday during a secret video briefing describing what it has learned over the past few months analyzing the campaign.
While VPNFilter infects routers and internet-connected storage devices used in home offices and small offices, the army of compromised devices can be used to launch coordinated attacks on much larger targets, Williams said.
Although infected devices are scattered across at least 54 countries, Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.
Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is preparing to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.
Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.
They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.
VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.
Cisco has discovered about 500,000 infected devices, but believes the actual number may be much higher.
The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.
The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.
VPNFilter is named after a directory the malware creates to hide its files on an infected device.