Cisco's Talos cyberintelligence unit has warned that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malware that comprises code previously used to attack Ukraine.
In a blog post, Talos said it has been working for months with public- and private-sector threat intelligence partners and law enforcement to research the advanced malware system it's calling VPNFilter.
"The code of this malware overlaps with versions of the BlackEnergy malware, which was responsible for multiple large-scale attacks that targeted devices in Ukraine," said the security research team.
"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilising a command and control (C2) infrastructure dedicated to that country."
Both on 8 May and again on 17 May, the Talos researchers saw a sharp spike in VPNFilter infection activity with most of the new victims located in Ukraine.
"By this point, we were aware of the code overlap between BlackEnergy and VPNFilter, that Ukraine's Constitution Day was approaching in June, and that the timing of previous attacks in Ukraine suggested that an attack could be imminent," they added.
One of Talos researchers told Reuters that it was confident that the Russian government is behind the campaign. Cisco researcher Craig Williams said this was the case because the hacking software shares code with malware used in previous cyber attacks that the US government has attributed to Moscow.
"Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilising the situation during the Champions League final," Williams said.
He added: "With a network like this you could do anything."
Other major security companies are also warning that the malware should be taken very seriously.
The devices infected with VPNFilter are scattered across at least 54 countries, so anyone could potentially be affected.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all