The Ukrainian Secret Service is blaming Russian intelligence for an attack it thwarted that was launched upon a chlorine distillation plan in the Dnipropetrovsk region using VPNFilter malware.
Ukrainian officials said if the attack had succeeded it could have led to a breakdown of technological processes possibly leading to a crash. Reportedly, the plan was to block the sustainable functioning of the overflow station, which provides liquid chlorine that is used to clean water from water supply and sewerage enterprises throughout Ukraine.
If the attack had succeeded it could have caused a man-made disaster, the Ukrainian officials said.
In June there were reports that Russia was planning an attack against Ukraine.
In an interview with Reuters, cyber police chief Serhiy Demedyuk accused Russia of installing malicious backdoors on the systems of companies based in Ukraine, in preparation for a potential cyber offensive. Targets reportedly include banks and energy infrastructure firms. “Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day,” said Demedyuk, reportedly.
In May, researchers at Cisco Systems' Talos threat intelligence unit blamed Russian actors for infecting millions of routers and Network Attached Storage devices with VPNFilter, a malware that can spy on network traffic, exfiltrate data, and potentially brick systems and cut victims off from the internet. The surreptitious campaign especially focused on Ukrainian targets.
“Consumer routers show up in very unexpected places at times, but critical infrastructure is certainly the last place I'd expect to find them. Due to the lack of details provided by the Ukranian Secret Service, it is not possible to know which devices may have been compromised with VPNFilter malware and what they were being used for in this plant. It is possible that the infected systems were routers in the homes of employees who remotely access the facility or that the plant may have had some affected network storage devices,” said Craig Young, computer security researcher at Tripwire.