Threat Management, Threat Intelligence, Threat Management

Ukraine accuses Russia of VPNFilter attack targeting chlorine distillation station

Ukraine is claiming to have stopped a VPNFilter attack which targeted a chlorine distillation station last week.

The malware was developed by the Russian cybergang APT28, according to the FBI, is designed to detect a "sensitive" target and warn its operators, who can then use it to pivot inside the infected organization and launch further attacks.

The Ukrainian Secret Service (SBU) said the goal of the attack was to block the sustainable functioning of the overflow station, which provides liquid chlorine to clean water from water supply and sewerage enterprises throughout the territory of Ukraine, according to a July 11 press release accusing Russia of operating the malware and launching the attack.

"The continuation of the cyberattack could have led to a breakdown of technological processes and possible crash," the SBU said in the release.

Bleeping Computer researchers described the malware as one that targets a large number of routers and as a modular threat that can survive router reboots and can monitor and intercept router traffic to look for signs of traffic meant for Modbus-based industrial SCADA equipment, according to a July 12 blog post which detailed the attack.

Ukraine has been under a barrage of cyberattacks, all of which are suspected to have originated in Russia, since 2014 when Russia annexed Crimea.

Since then Ukraine has fallen victim to the BlackEnergy attacks against its power grid in 2015 and 2016, and the NotPetya and Bad Rabbit ransomware attacks in 2017.

Researchers said the malware most likely infected the chlorine distillation station's networking equipment and that it's unclear if VPNFilter infection at the Aulska chlorine station was an intentional attack or just an accidental infection.

The plant's chlorine product is used across Ukraine for drinking water and sewage treatment and as the county's only chlorine distillation station, if shut down, would cause the type of damage previous attacks against the country have sought to inflect making it a prime target if it was indeed intentional, researchers said.

Bleeping Computer also noted that the malware spreads randomly by scanning all Internet IPv4 addresses, and it most likely landed on the plant's network by chance and because of routers running vulnerable firmware.

Despite Ukraine's claims, there is no evidence suggesting this was a malicious and orchestrated attack, the researchers added.  


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.