1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites
Crime

FBI thwarts potential cyberattack on Ukraine

May 24, 2018

US investigators and cybersecurity experts have disrupted a potential cyberattack focused on Ukraine before it could happen, according to court documents. But users are still not safe from VPNFiter's effects quite yet.

A computer screen covered in green 1s and 0s
Image: picture alliance/dpa/O. Berg

Authorities in the United States said they broke up a potential digital attack called VPNFilter that affected half a million internet routers and could have caused widespread havoc in Ukraine.

The US Justice Department said this was the most recent attack programmed by the Sofacy Group, the Russian hackers — also known as Fancy Bear — are suspected of being behind cyberattacks on several governments, international agencies and infrastructure providers.

Most affected devices in Ukraine

  • The largest number of infections was in Ukraine but affected routers in 54 countries, according to technology company Cisco Systems and antivirus company Symantec, which cooperated with the FBI during the operation.
  • The FBI seized the domain toknowall.com and directed all traffic to it to a server configured by investigators, court documents said.
  • Hackers could have rendered the routers unusable, which would have left hundreds of thousands of people without internet access.

Read more: New EU cyber strategy aims to cut crime and raise resilience

The VPNFilter attack could have put hundreds of thousands of people offline

'A variety of malicious purposes'

The Justice Department said the malware "could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

While investigators said the hackers' motives remain unclear, Ukraine's SBU state security service said the potential cyberattack showed Russia was readying a large-scale disruption of a "large-scale event" in Ukraine, such as the Champions League soccer final, due to be held in Kyiv on Saturday, or upcoming Constitution Day celebrations in late June.

Moscow denied having a role in developing the hack. "Russia has not been planning a hacker attack using routers," Kremlin spokesman Dmitry Peskov said.

Read more: Why it's 'hard to protect yourself' online

What is Fancy Bear? Known by several names, including PT28, Pawn Storm, Sandworm, Sednit and the Sofacy Group, the hackers are blamed for engineering attacks on the Organization for Security and Cooperation in Europe, the World Anti-Doping Agency, the US Democratic Party as well as several internet disruptions in Ukraine. US intelligence and other computer security groups have linked the group to Russia's GRU military intelligence agency.

What could the cyberattack have done? Hackers would have been able to take over home and office internet routers to create a botnet to intercept and reroute internet traffic without users knowing they were affected.

Why conduct a cyberattack against Ukraine? Kyiv and Moscow-backed rebels have been engaged in a years-long conflict in eastern Ukraine that has repeatedly featured cyberoffensives. The NotPetya worm last year crippled critical systems, including hospitals, across the country and caused hundreds of millions of dollars in collateral damage around the globe.

How did the FBI stop the attack? Authorities took control of an internet domain the attackers were using to direct infected devices to prevent hackers from issuing commands to the routers, reported to be produced by Linksys, MikroTik, Netgear Inc, TP-Link and QNAP network storage devices.

Should I worry about my router? The FBI and cybersecurity firms released details of the potential hack before having a solid solution to fix it. Device manufacturers have recommended users ensure their devices are patched with the latest firmware versions.

DW editors send out a selection of the day's hard news and quality feature journalism. You can sign up to receive it directly here.

sms/kms (AP, AFP, Reuters)

Skip next section Explore more
Skip next section DW's Top Story

DW's Top Story

Skip next section More stories from DW