The US government said late on Wednesday that it would seek to wrestle hundreds of thousands of infected routers and storage devices from the control of hackers who security researchers warned were planning to use the “botnet” to attack Ukraine.
A federal judge in Pennsylvania gave the FBI permission to seize an internet domain that authorities charge a Russian hacking group known as Sofacy was using to control infected devices.
The order allows them to direct the devices to communicate with an FBI-controlled server, which will be used to query location to pass on to authorities around the globe who can remove malware from infected equipment.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement.
The US government announced the takedown effort after Cisco Systems early on Wednesday released a report on the hacking campaign that it said targeted devices from Linksys, MikroTik, Netgear, TP-Link and QNAP.
Cisco said the largest number of infections from the VPN filter malware were in Ukraine, which led it to believe Russia was planning an attack on that country.
Cisco shared technical details with the United States and Ukraine governments as well as rivals who sell security software, hardware and services. Ukraine’s SBU state security service responded to the report by saying it showed Russia was readying a large-scale cyber attack ahead of the Champions League soccer final, due to be held in Kiev on Saturday.
Cybersecurity firms, governments and corporate security teams closely monitor events in Ukraine, where some of the world’s most costly and destructive cyberattacks have been launched. The Kremlin did not respond to a request for comment.
Russia has denied assertions by nations including Ukraine and Western cyber-security firms that it is behind a massive global hacking programme that has included attempts to harm Ukraine’s economy and interfering in the 2016 US presidential election.
Netgear and Linksys advised customers to make sure their routers are patched with the latest version of its firmware. MikroTik, TP-Link and QNAP could not be reached.