Cisco's Talos cyberintelligence unit has warned that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malware that comprises code previously used to attack Ukraine.
In a blog post, Talos said it has been working for months with public- and private-sector threat intelligence partners and law enforcement to research the advanced malware system it's calling VPNFilter.
"The code of this malware overlaps with versions of the BlackEnergy malware, which was responsible for multiple large-scale attacks that targeted devices in Ukraine," said the security research team.
"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilising a command and control (C2) infrastructure dedicated to that country."
Both on 8 May and again on 17 May, the Talos researchers saw a sharp spike in VPNFilter infection activity with most of the new victims located in Ukraine.
"By this point, we were aware of the code overlap between BlackEnergy and VPNFilter, that Ukraine's Constitution Day was approaching in June, and that the timing of previous attacks in Ukraine suggested that an attack could be imminent," they added.
One of Talos researchers told Reuters that it was confident that the Russian government is behind the campaign. Cisco researcher Craig Williams said this was the case because the hacking software shares code with malware used in previous cyber attacks that the US government has attributed to Moscow.
"Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilising the situation during the Champions League final," Williams said.
He added: "With a network like this you could do anything."
Other major security companies are also warning that the malware should be taken very seriously.
The devices infected with VPNFilter are scattered across at least 54 countries, so anyone could potentially be affected.
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend