Will VPNFilter attack disrupt Champions League final?

UPDATE: Radio Free Europe has come back to us with the correct link to the alert from the SSU. The story is in Ukranian but does link VPNFilter and the Champions League final. We have amended the story where necessary.

More than 400 million people are expected to watch the EUFA Champions League final between Liverpool and Real Madrid tomorrow night. But according to several newspaper reports, it appears hackers were planning to use the event to launch a major cyber attack. That hack has now been averted after the FBI seized control of the domain from the Sofacy group (more later).

However, there are a number of odd things about the Champions League story that don’t didn’t seem to make sense at first.

How did the Champions League story start?

The warnings started with an article on the Radio Free Europe. It says: “Security Service experts believe the infection of hardware in Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final.” The article even has a link to what it claims is the SBU statement (now corrected). The problem is that link is to a story about corruption. Despite searches on the SSU/SBU website, the claimed statement cannot be found.

[As mentioned above, the correct link has now been added to the RFEL story and can be found on the SSU website. Thank you to RFEL for contacting us]

The story was then picked up by Reuters and The Independent. The Independent carries the same quote at Radio Free Europe while Reuters paraphrases it. Neither of these stories link to a statement from the SSU.

Another thing that all three stories have in common is that they link to an alert from Talos, a security company owned by Cisco. Talos published a blog talking about the VPNFilter malware on Wednesday. However, at no point does the blog or the Talos team give a date when they expect an attack, nor do they link it to Champions League.

What is VPNFilter?

Talos has been working with other security vendors and law enforcement agencies around the world, to investigate VNPFilter. It describes it as a sophisticated modular malware system that has infected over 500,000 devices in 54 countries. This makes it among the largest set of devices under the control of a malware group.

The devices infected are mainly routers from Linksys, MikroTik, NETGEAR and TP-Link. These are likely to be installed in small and home office (SOHO) locations. There is also evidence that QNAP network-attached storage (NAS) devices are also infected. While Talos states: “No other vendors, including Cisco, have been observed as infected by VPNFilter” it admits that research continues. One of the problems of a definite answer is that nobody, as yet, has identified the infection mechanism.

There are several stages to this malware. The first stage is persistent and cannot be removed by rebooting the device. This allows it to bring down the stage two and other malware when it wants. There is also a diverse command and control (C&C) structure which adds resilience against action from law enforcement. The stage two malware can be removed through a reboot but is also capable of self-destruct which renders devices unusable. There are also a number of stage three modules that plug-in to stage two providing it with more features.

The main goal of the malware seems to be information gathering. This is not just data and security credentials from the network but also all traffic that passes through the device. Infected devices could also be used to attack other devices.

Enter the FBI

On Wednesday, the same day Talos published its report, the United States Department of Justice issued a press statement. It said that a joint action between the Justice Department and the FBI had seized a domain – “toknowall[.]com” – that was part of the VPNFilter command and control infrastructure. The goal is to intercept all calls from the stage one malware to the C&C servers.

The IP addresses of all devices making those calls will be passed to the Shadowserver Foundation. It will contact the owners of the devices to help them remove the malware. It will also work with foreign CERTs and Internet Service Providers (ISPs).

It has advised anyone with a device from the named vendors to reboot in order to remove the stage two malware and force stage one to contact the C&C server. It expects this to be effective in stopping reinfection with stage two malware and prevent devices being made unusable.

Whether this will be fully effective is unknown. The FBI has seized one domain not all domains. Its actions may lead the owners of the VPNFilter malware to self-destruct all devices under their control. Alternatively it may spark them into using remaining devices to launch an attack.

How did Champions League and VPNFilter get linked?

That’s an interesting question. The statement claimed by two of the news organisations does not appear to exist on the SSU/SBU website. This could be due to it being taken down. Alternatively it could be a problem with a mistranslation of the article to which Radio Free Europe points. Equally, this could be part of a misinformation campaign started by the VPNFilter owners to play up their importance.

[After an email from RFEL our original analysis above is no longer correct and both this article and the one they published have been updated]

The timing of the Talos report and the FBI action are all linked to what has been happening with infection rates. In its report Talos states: “On May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33. By this point, we were aware of the code overlap between BlackEnergy and VPNFilter and that the timing of previous attacks in Ukraine suggested that an attack could be imminent.”

The report goes on to say there was an additional spike on May 17th.

None of this points to an attempt to stop the Champions League final being watched or to use it as cover for an attack. That said, with so many people watching the final and the attention it will get from the press, any impact of an attack would be amplified. This might just have been enough to create a connection between VPNFilter and the Champions League final.

Jovi Umawing, Malware Intelligence Analyst at Malwarebytes comments: “While Ukraine is a key target of destabilising cyber-attacks for some time now, this particular infection is unlikely to cause issues with the Champions League final. The bigger concern is what people do to combat potential infection; restoring routers to factory settings may eliminate the malware, but it also opens the possibility of becoming vulnerable to older exploits. The best course of action at this point in time is to purchase new hardware if at all possible.”

What does this mean

Attribution of attacks is always complex but not as complex as trying to divine the goals of a malware campaign before it has started. Talos has been clear throughout its report, that there is no evidence of what the target or goal of the attack is. The US Dept of Justice and the FBI have also avoided naming a target.

The upside of this story is that it may well have alerted many of the victims and potential victims to the risk of their devices being taken over. Those that were being directed to the toknowall[.]com domain can at least reset without problems. Others may not be so lucky.

This action will also cause problems for the cyber group behind VPNFilter. It has been named as Sofacy who go under a number of other pseudonyms such as Fancy Bear, APT28, Pawn Storm, Sednit and Strontium. Several cyber security vendors have claimed it is a Russian state-sponsored actor. It has been credited with a long list of attacks and has been the subject of other attempts to disrupt its activity in the past.