Ukraine's SBU Security Service said it thwarted a VPNFilter malware attack on a chlorine distillation plant in the village of Aulska in the Dnipropetrovsk region. The Security Service said the attack aimed to disrupt operations and accused Russia of operating the infamous malware and launching the attack.
It added the Kremlin-sponsored attackers targeted "critical infrastructure" that sanitizes clear water and could have resulted in a "man-made disaster", if successful.
"The continuation of the cyberattack could have led to a breakdown of technological processes and possible crash," the SBU said in a press release. The agency did not provide any specific details about the malware itself, how the attack was carried out or when it was discovered.
The infamous VPNFilter
VPNFilter is a modular threat that was first detected by Cisco Talos researchers in May who warned that Russia-linked hackers had infected more than 500,000 consumer grade routers in 54 countries with the malware. Affected devices included Linksys, MikroTik, Netgear, TP-Link networking equipment and QNAP network-attached storage (NAS) devices. It was later discovered that devices manufactured by Asus, Huawi, D-Link, ZTE, Ubiquiti and Upvel were also vulnerability.
The multi-stage malware is capable of data exfiltration, intercepting all traffic through the device destined for port 80 to inject malicious payloads and comes with a device destruction module. It can also survive reboots, opt to remove all traces of itself, delete all files on the infected system and even render a device unusable.
Researchers have linked VPNFilter to the advanced threat group Sofacy, also known as Fancy Bear, APT28 and Tsar Team. They also noted that the 500,000-strong VPNFilter botnet was likely to be used in a massive attack targeting Ukraine before its C2 server was taken down by the FBI.
However, the threat actors soon began building another just weeks later, renewing its focus on Ukrainian network routers.