LONDON — The FBI has put a spoke in the wheel of a major Russian digital disruption operation potentially aimed at causing havoc in Ukraine, evidence pieced together from researchers, Ukrainian officials and U.S. court documents indicates.
On Wednesday, network technology company Cisco Systems and antivirus company Symantec warnedthat a half-million internet-connected routers had been compromised in a possible effort to lay the groundwork for a cyber-sabotage operation against targets in Ukraine.
Court documents simultaneously unsealed in Pittsburgh show the FBI has seized a key website communicating with the massive army of hijacked devices, disrupting what could have been — and might still be — an ambitious cyberattack by the Russian government-aligned hacking group widely known as Fancy Bear.
"I hope it catches the actors off guard and leads to the downfall of their network," said Craig Williams, the director of outreach for Talos, the digital threat intelligence unit of Cisco that cooperated with the bureau. But he warned that the hackers could still regain control of the infected routers if they possessed their addresses and the right resources to re-establish command and control.
FBI Assistant Director Scott Smith said the agency "has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI's work is not done."
Much about the hackers' motives remains open to conjecture. Cisco said the malicious software, which it and Symantec both dubbed VPNFilter after a folder it creates, was sitting on more than 500,000 routers in 54 countries but mostly in Ukraine, and had the capacity to render them unusable — a massively disruptive move if carried out at such a scale.
"It could be a significant threat to users around the world," said Williams.
The U.S. Justice Department said the malware "could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."
Ukraine's cyberpolice said in a statement that it was possible the hackers planned to strike during "large-scale events," an apparent reference either to the upcoming Champions League game between Real Madrid and Liverpool in the capital, Kiev, on Saturday or to Ukraine's upcoming Constitution Day celebrations.
Ukraine has been locked in a years-long struggle with Russia-backed separatists in the country's east and has repeatedly been hit by cyberattacks of escalating severity. Last year witnessed the eruption of the NotPetya worm, which crippled critical systems, including hospitals , across the country and dealt hundreds of millions of dollars in collateral damage around the globe. Ukraine, the United States and Britain have blamed the attack on Moscow — a charge the Kremlin has denied.
Cisco and Symantec both steered clear of attributing the VPNFilter malware to any particular actor, but an FBI affidavit explicitly attributed it to Fancy Bear, the same group that hacked into the Democratic National Committee in 2016 and has been linked to a long series of digital intrusions stretching back more than a decade. The U.S. intelligence community assesses that Fancy Bear acts on behalf of Russia's military intelligence service.
An FBI affidavit — whose existence was first reported by The Daily Beast — said the hackers used lines of code hidden in the metadata of online photo albums to communicate with their network of seeded routers. If the photo albums disappeared, the hackers turned to a fallback website — the same site whose seizure the FBI ordered Tuesday.
An email sent to the website's registered owner was returned as undeliverable.
When asked why the FBI specifically named Fancy Bear where Cisco did not, Williams noted that while attribution was extremely tricky based on malware analysis alone, "if you combine that knowledge with a traditional intelligence apparatus interesting things can come to light."
In any case, he said, "we have a high degree of confidence that the actor behind this is acting against the Ukraine's best interest."
Cisco said in a research note that the malware affected devices geared for small and home offices from manufacturers including Netgear, TP-Link and Linksys and had the potential to disable "internet access for hundreds of thousands of victims worldwide or in a focused region."
The malware's principal capabilities, the company said, included stealthy intelligence-collecting, monitoring industrial-control software and, if triggered, "bricking" or disabling routers. It also persists on the infected routers after they are rebooted.