FBI seeks to prevent cyber-attack on Ukraine

May 26, 2018


It captured a website that was assisting communicate with home routers infested with malware that would carry out the digital attack.

Over 500,000 routers in 54 countries had been contaminated by the “risky ” malware and the FBI is now attempting to clean up infected machines.

The Kremlin has rejected an accusation by Ukraine that Russia was arranging a cyber-attack on the country.

Kill command

A vital measure in preventing the attack came on 23 May when a US court directed website administrator Verisign to transfer control of the ToKnowAll.com domain to the FBI.

Infested machines often made contact with that domain to bring up to date the malware with which they were infested.

By taking command of the domain, the FBI will be able to note the place of infected machines and co-ordinate attempts to clean them up.

A state-sponsored consortium called Sofacy/Fancy Bear has been recognized as both developing the malware as well as organizing the attack.

John Demers, assistant attorney general for National Security said, in a statement “This job is the first step in the interruption of a botnet that presents the Sofacy actors with a range of capabilities that might be used for a range of hateful intentions.”

Specifics of the arrangement were shared by Cisco’s Talos safety team which said it had been observing the “radical, state-sponsored” attack for months. In a blog, it said malware, which it named VPNFilter, utilized numerous modern methods to undermine routers.

In particular, it stated, the hateful software had been coded to outlive even when infested appliances were turned off and on. In the earlier period, infested appliances have only required a reboot to remove the hateful code.

Cisco added that the malware contained a “kill” directive that would render appliances useless if it were used.

Altogether, 14 types of home routers created by Linksys, Mikrotik, Negear, and Qnap were targeted by the malware. Cisco stated it had seen extensive scans seeking out routers with known weaknesses that the malware might abuse.

Cleaning out the contamination involves returning appliances to their original factory settings. Users are also being advised to bring up to date the firmware on their router to eliminate weaknesses abused by the malware.

Cisco stated it went public with the information it had collected because earlier this month it saw an abrupt rise in scanning and a specific focus on home routers in Ukraine. The VPNFilter code shares some resemblances with the Black Energy malware utilized in attacks on Ukraine’s power network.