Researchers at Cisco Talos discovered the malware and published their preliminary results before their investigation was complete to give users a better chance at protecting their interests from an attack they believed was sponsored or affiliated with a nation-state threat actor. It may even be able to destroy the infected devices with a single command.
A spokesperson for the National Cyber Security Centre said: "This research is a timely reminder for organisations and home users to get the basics right to help protect their systems against cyber threats".
Cisco's Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow. In a blog it said malware, which it dubbed VPNFilter, used several sophisticated methods to compromise routers.
Last year, there was a delayed reaction inside Ukraine to the NotPetya attack due to it being launched a day before a Ukrainian holiday.
Russian Federation is also the main culprit for the cyber-attack that hit the opening ceremony of the 2018 Winter Olympic Games in South Korea with the "Olympic Destroyer" malware after the International Olympic Committee has banned the country from the event.
Ukraine's SBU state security service said the activity showed Russian Federation was readying a large-scale cyber attack ahead of the Champions League soccer final, due to be held in Kiev on Saturday. "Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries", Talos wrote.
Signs of this botnet's existence go back as far as 2016, but researchers say botnet started an intense scanning activity in recent months, growing to a huge size.
GETTYVPN Filter infections rose dramatically in Ukraine from May 8 onwards
An FBI affidavit - whose existence was first reported by The Daily Beast - said the hackers used lines of code hidden in the metadata of online photo albums to communicate with their network of seeded routers. Because of the apparent focus on networking devices in the Ukraine, it has been widely speculated that Russian Federation is behind VPNFilter, with a possibility that there is intent to cause major disruption before the Champions League final, which is taking place in the Ukrainian capital of Kiev on Saturday.
Cisco experts aren't sounding the alarm on this malware strain for nothing.
Some 500,000 computers have been discovered to be infected with a new malware, dubbed VPNFilter, and those computers are believed to be a sort of a botnet meant to enact a huge cyberattack very soon, probably against Ukraine, Cisco analyst Craig Williams told Reuters Wednesday.
This Stage Two module's main role is to support a plugin architecture for the State Three plugins.
Cisco shared technical details on VPNFilter with the group on Monday during a secret video briefing describing what it has learned over the past few months analyzing the campaign.
But despite not having boot persistence, the Stage Two module is also the most unsafe, as it contains a self-destruct function that overwrites a critical portion of the device's firmware, and reboots the device.
The stage 2 malware is downloaded from those servers (one of which has been seized by the FBI) and is capable of collecting files, exfiltrating data, managing the device and executing code on it.