Телефон довіри:
0 800 501 482

SBU warns of a possible large-scale cyberattack on state organizations and private companies before the Champions League final

SBU warns of a possible large-scale cyberattack on government organizations and private companies before the Champions League final and has given recommendations for protection.

SBU cybersecurity specialists investigate yet another possible wave of mass destruction of networked devices located in Ukraine. Hazardous software that can be used by hackers was named VPNFilter.


* VPNFilter is a multi-level modular malware with versatile features that provide both cyberintelligence and destructive cyber-attacks.


Similar attacks have been recorded all over the world since 2016. However, according to the information received, this time the geographic targeting of the attack is oriented specifically to the Ukrainian segment of the Internet.

The findings of the forensic investigation indicate that VPNFilter virus allows attackers to intercept all traffic passing through the affected device (including authorization data and personal data used in payment systems), collect and upload information, remotely control the virus-infected device and even brick it.

The VPNFilter is particularly dangerous for automated process control systems (SCADA). Such objects could be priority target for hackers due to identification of specific protocols for technological data exchange. The discovered signs indicate that cyberattacks are being prepared on the objects of national critical infrastructure, which causes particular concern.

SBU specialists believe that injection of Ukraine-limited computer virus could mean preparation for another Russian cyberattack aimed at destabilizing the situation during the Champions League finals. This suspicion is further fuelled by the fact that cyberattack inner workings are the same as used in 2015-2016 during the BlackEnergy cyberattack.

Joint possibilities on forensic analysis of the threats available to the SBU Situational Center for Cyber ​​Security and the existing international channels of the 24/7 National Contact Point of the National Police of Ukraine have already been used to neutralize the network of hidden intruders. We emphasize that failure to eliminate the vulnerabilities at end-user equipment would leave it open to new waves of similar cyberattacks.

Taking into account the possible risks, the SBU and the National Police have instantly informed potential “victims” of the attack. In compliance with the requirements of the Law of Ukraine “On key principles of ensuring cybersecurity”, the SBU informed the relevant facilities of critical infrastructure and state authorities (including via the MISP-UA platform). In turn, the Cyberpolice Department of the National Police Of Ukraine has focused on assisting the subjects of domestic business and the citizens.

Specialists are currently aware of the vulnerability of the following network devices:

Linksys Devices: E1200, E2500, WRVS4400N;

Mikrotik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072;

Netgear Devices: DGN2200, R6400,        R7000, R8000, WNR1000, WNR2000;

QNAP Devices: TS251, TS439 Pro, Other QNAP NAS devices running QTS software;

TP-Link Devices R600VPN.

Taking into account the considerable popularity of this equipment on the territory of Ukraine and the objective impossibility of targeted informing of all users, the SBU provides short recommendations on the protection from cyberattack, developed jointly with representatives of leading international cybersecurity companies.

The recommendations of SBU specialists:

In order to prevent data loss and interference into the operation of network devices and to prevent negative consequences of affection of abovementioned network devices by malicious software, cybersecurity experts strongly recommend to urgently take the following measures:

- users and owners of home routers, wireless routers for small offices and network file repositories must urgently reboot them in order to remove potentially harmful software modules from the devices memory;

- in the case when clients’ network routers are controlled by Internet-providers, they must remotely reboot them;

- if there is any reason to consider any device on the local network affected by this type of malware - immediately update its software firmware to the latest version;

- in the case when the operating system of the network device has a function of access to its file system - check the presence of files in the “/var/run/vpnfilterw”, “var/run/tor”, “var/run/torrc”, “var/run/tord” directories and delete their contents.


SBU Press-Centre




For the Attention of the SBU Head





Zhydkov Dmytro Mykhailovych
Shevchenko Daniil Borysovych
Yatsenko Viktor Viacheslavovych

View full list