VPNFilter Attack Hits Chlorine Plant in Ukraine

Ukraine’s internal security agency, the SBU, reports blocking a VPNFilter attack against a plant that produces liquid chlorine used for treating the water supply in the country.

The SBU has not provided technical details about the attack, but said that it targeted the networking equipment of the “Aul Chlorotransfer Station” in the Dnipropetrovsk region, which is part of the country’s critical infrastructure.

What’s clear is that the cyberattack involved VPNFilter, a sophisticated modular malware program that infects routers and which the SBU attributes to the Russian Federation. The attack lasted a few minutes before being blocked and affected the station’s systems for controlling technological processes and for detecting emergency situations.

The continuation of the cyberattack could have led to a breakdown of technological processes and a possible crash, the SBU said in a press release, written in Ukrainian.

While VPNFilter is a global threat that infected more than 500,000 devices worldwide, the security companies that analyzed it noted its increased focus on Ukraine over the past few months. In fact, Cisco Systems’ Talos team decided to publish its findings on VPNFilter back in May because they suspected the malware’s activity in Ukraine might signal an imminent disruptive attack.

One thing that sets VPNFilter apart from other IoT and router malware is a component that specifically sniffs Modbus traffic. This is a protocol that’s commonly used by SCADA systems, suggesting that VPNFilter’s operators are interested in industrial control systems, such as the ones the Ukrainian chlorine station probably uses.

The U.S. Department of Justice (DoJ) attributed VPNFilter to Sofacy, a Russian cyberespionage group also known as APT28, Sandworm, X-agent, Pawn Storm, Fancy Bear and Sednit.

On Friday, the DoJ indicted 12 officers of the Russian military intelligence agency, the GRU, for their involvement in the cyberattacks against the U.S. Democratic Party and subsequent interference in the 2016 U.S. presidential elections. The indictment links the X-Agent malware, the main tool of APT28, to the GRU.

Travel, Online Gambling Industries Targeted During FIFA World Cup

Gambling and travel companies have seen huge spikes in online transaction volumes before and during the FIFA World Cup, which were accompanied by significant rises in attack and fraud rates.

“We are seeing elevated attack rates coming among transactions originating from Russia, meaning fraudsters in the country are deliberately targeting this industry,” digital identity intelligence and risk assessment company ThreatMetrix said in a new report. “The key attack vector is identity spoofing, as fraudsters look to use stolen and synthesized identity credentials to open up fraudulent new accounts, make fraudulent payments and take over existing accounts, which often store personal and credit card information.”

For example, one global travel agency has seen a 20 percent growth in online transaction volumes since April, but also a 46 percent growth in attack rates, including a 52 percent rise in identity spoofing.

“Fraudsters are essentially opportunists – however in today’s world they are sophisticated opportunists operating global cybercrime rings to deliver well-organised and thought-out attacks on areas that they see to be at higher-than-average risk,” ThreatMetrix said. “Regarding the World Cup, those top targets seem to be online betting and travel industries.”

Events that attract a huge global interest such as the Olympics or the FIFA World Cup are usually accompanied by a large number of attacks, some of which target the hosting country. In the wake of the World Cup, which ended Sunday, Russian President Vladimir Putin said that during the event the country fended off close to 25 million cyberattacks that targeted its information infrastructure, Politico reported.

Featured eBook
The State of Security RSA Special Report

The State of Security RSA Special Report

The big trends shaping cybersecurity today. Security teams face enormous challenges. Not only from attackers who are always looking for new ways to get to their applications and data, but also the constant evolution of the very technologies security professionals must defend. This complimentary download is offered by Security Boulevard. Download Now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 200 posts and counting.See all posts by lucian-constantin