The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization.
According to the SBU, the malware was detected on the systems of the Aulska chlorine station in Auly, Dnipropetrovsk. The organization is part of the country’s critical infrastructure as it supplies chlorine to water treatment and sewage plants across Ukraine.
The malware reportedly targeted technological processes and safety systems, but the security agency said it quickly detected and blocked the attempt. The SBU said the attack could have resulted in technological process disruptions or a crash of the affected systems, which could have led to a “disaster.” The agency believes the attackers’ goal was to disrupt operations at the facility.
While the SBU’s statement suggests that this attack was specifically aimed at the chlorine station, it’s also possible that the organization was an opportunistic target. VPNFilter at one point had ensnared at least 500,000 routers and network-attached storage (NAS) devices and Ukraine appears to be its main target.
The fact that Ukraine has attributed the VPNFilter attack to Russia is not surprising. Even the United States government has linked the operation to some cyber-espionage groups believed to be sponsored by the Kremlin.
The VPNFilter botnet, whose existence was brought to light in May, targets more than 50 types of routers and NAS devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.