Preparations for a cyber-attack on Ukraine have been thwarted by the FBI.
It seized a website that was helping communicate with home routers infected with malware that would carry out the digital bombardment.
More than 500,000 routers in 54 countries had been infected by the “dangerous” malware and the FBI is now trying to clean up infected machines.
The Kremlin has denied an allegation by Ukraine that Russia was planning a cyber-attack on the country.
A key step in thwarting the attack came on 23 May when a US court ordered website registrar Verisign to hand over control of the ToKnowAll.com domain to the FBI.
Infected machines regularly contacted that domain to update the malware with which they were infected.
By taking control of the domain, the FBI will be able to log the location of infected machines and co-ordinate efforts to clean them up.
A state-sponsored group known as Sofacy/Fancy Bear has been identified as both developing the malware and preparing the attack.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes,” said John Demers, assistant attorney general for National Security, in a statement.
Details of the preparation were shared by Cisco’s Talos security team which said it had been monitoring the “advanced, state-sponsored” attack for months. In a blog it said malware, which it dubbed VPNFilter, used several sophisticated methods to compromise routers.
In particular, it said, the malicious software had been coded to survive even when infected devices were turned off and on. In the past, infected devices have only needed a reboot to remove the malicious code.
Cisco added that the malware included a “kill” command that would render devices unusable if it were used.
In all, 14 models of home routers made by Linksys, Mikrotik, Negear and Qnap were targeted by the malware. Cisco said it had seen widespread scans seeking out routers with known vulnerabilities that the malware could exploit.
Cleaning out the infection involves returning devices to their initial factory settings. Users are also being urged to update the firmware on their router to remove vulnerabilities exploited by the malware.
Cisco said it went public with the information it had gathered because earlier this month it saw a sudden spike in scanning and a particular focus on home routers in Ukraine. The VPNFilter code shares some similarities with the Black Energy malware used in attacks on Ukraine’s power grid.
The target of the expected attack is not clear but Reuters suggested the network of infected machines could be used to cause disruption on Saturday when the Champions League final is played in Kiev.