CSCO Cisco Systems Inc

By Robert McMillan 

A newly discovered network of hacked routers and storage devices could be used to launch a massive cyberattack or knock hundreds of thousands of internet users offline, Cisco Systems Inc. and authorities in the U.S. and Ukraine warned Wednesday.

An attack could be timed to the final match in soccer's UEFA Champions League competition taking place Saturday in Kiev, according to security researchers and Ukrainian authorities.

More than half a million devices across 54 countries are now infected with sophisticated software called VPNFilter that can install other software or even internal changes that render the devices unusable, according to Craig Williams, a security researcher with Cisco.

The network had grown quietly since 2016 but expanded rapidly within Ukraine around May 8, with systems in the country now making up about half of the infected machines on the network, Mr. Williams said.

"They're clearly targeting Ukraine," he said. "The fact that we saw this being spun up so quickly is evidence that something is being planned."

Ukrainian authorities, in a statement, said they believe this could be a precursor to a cyberattack by Russia targeted to the Champions League final.

A representative from the Ukrainian consulate in Washington, D.C., didn't respond to requests for further comment.

Ukraine has blamed Russia for a wave of disruptive cyberattacks that have shut down electricity and hacked computers across the country over the past three years. Ukraine was the main target of last year's Petya computer virus, cybersecurity researchers believe, an attack launched shortly before a national holiday celebrating the adoption of Ukraine's constitution.

Earlier this year, authorities in the U.S. and U.K. blamed Russia for the Petya outbreak. Russia has called the accusations "baseless."

Based on the code used by the VPNFilter hackers, and the fact that the latest infections have focused on Ukrainian targets, Cisco believes the new network may be related to the previous incidents, though "it is far from 100 percent certain," Mr. Williams said.

It is unclear what comes next, researchers and authorities say. But VPNFilter has the capabilities to install software that can steal sensitive information from the network such as passwords or even data on power plants or factory-floor computers, Mr. Williams said.

Whoever built the network could launch a new virus like Petya, attack power plants or disrupt computer systems connected to the coming Champions League game, Mr. Williams said. After a cyberattack, the creators could cover their steps by wiping out the infected device's software, effectively leaving hundreds of thousands of people without internet access, he said.

"The reality is, this attacker has limitless options," Mr. Williams said.

According to Cisco, the VPNFilter malware affects certain Linksys routers built by Belkin International Inc. as well as some built by Netgear Inc., SIA Mikrot kls (MikroTik), and TP-Link Technologies Co. and some storage devices built by QNAP Systems, Inc.

Many of these devices can be taken over using known well-known attacks or default administrative passwords, Mr. Williams said.

Netgear and TP-Link published a security advisories Wednesday saying the companies are investigating the VPNFilter malware. They advised users to update their routers' software and to avoid using the default passwords.

The other device makers didn't immediately respond to requests for comment.

The U.S. Department of Homeland Security on Wednesday issued a warning about VPNFilter, saying that the software "has the potential to cut off internet access for hundreds of thousands of users."

After years of focusing on personal computers, hackers have increasingly turned to the so-called Internet of Things -- routers, storage devices, video recorders and other internet-connected devices -- that don't typically run antivirus software and are can often be accessed using default usernames and passwords.

In 2016, a network of about 300,000 such infected devices caused a widespread internet outage in the U.S. by launching a massive online attack against an internet service provider.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

(END) Dow Jones Newswires

May 23, 2018 17:38 ET (21:38 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.