According to SBU’s description, security researchers detected this malware in the industrial control system of Aulska chlorine station in dnipropetrovsk, Ukraine, and this organization is one of the important infrastructures in Ukraine, because it is mainly responsible for providing chlorine raw materials for clean water treatment to sewage treatment plants in Ukraine.
According to reports, the malware is mainly aimed at the technical processing flow and security protection system in the industrial control system, but the Ukrainian Security Bureau said that their security experts quickly detected the existence of VPNFilter and blocked the malicious operation it wanted to try. SBU said that if the attack is successful, it will stop the operation of the industrial control system of Aulska chlorine station, cause the affected system to collapse, and even cause physical damage to the equipment, thus leading to a "catastrophic" incident. Security researchers believe that the main goal of this attack is probably to destroy the normal operation of this infrastructure.
SBU said that although the attack was mainly aimed at chlorine stations, it may also be a coincidence, because VPNFilter has successfully invaded at least 500,000 routers and network attached storage devices (NAS), and Ukraine is the main target of this malware.
The following figure shows the attack mechanism of VPNFilter:
Prior to this, the US authorities tried to disrupt the attacker’s activities by taking down one of the commands of VPNFilter to control the domain name, but researchers said that VPNFilter is still threatening the key infrastructure in Ukraine.
In fact, it is not surprising that Ukraine blames Russia for this incident. Even the US government believes that this attack is related to some cyber espionage organizations sponsored by the Kremlin.
The VPNFilter botnet was exposed in May this year. At that time, the VPNFilter was able to invade more than 50 routers and NAS devices. The affected manufacturers included Linksys, MikroTik, Netgear, TP-Link, QNAP, Asustek, D-Link, Huawei, UBiQuTI, Upple, and ZTE.
The researchers said that this malware can not only intercept the data sent and received by the invaded devices, but also monitor the network systems that use Modbus SCADA protocol for communication. In addition, it can also make infected devices unable to work normally.
Of course, it is not the first time that Ukraine has blamed Russia for cyber attacks. Before that, Russia was accused of launching NotPetya attacks on Ukraine’s power network system.