On Thursday, the SBU alleged in a statement that Russian intelligence services are behind an attempted cyberattack against the network equipment of Aul Chlorotransfer Station, an entity based in the Dnipropetrovsk province which provides chlorination and filtering of clean water supplies.
“Intelligence services specialists in the field of cybersecurity established that, over the course of several minutes, the company’s technological process control systems and the systems for detecting signs of emergencies were being attacked by the VPNFilter computer virus from Russia,” the report states [translated].
According to the SBU, VPNFilter malware was deployed in an attempt to disrupt this critical element of Ukraine’s infrastructure.
VPNFilter was uncovered in May when Cisco Talos researchers discovered 500,000 networking devices — mainly consumer-grade internet routers — across 54 countries which had been infected with the malware.
The malicious code is able to exfiltrate credentials, monitor equipment, and can also render an infected device completely inoperable.
Talos believes VPNFilter is state-sponsored due to the sophistication of the malware.
VPNFilter has previously been linked to Russia. In May, the FBI warned router users that they should reboot their routers following the Talos report.
It is believed that Sofacy, also known as Fancy Bear and APT28, a Russian state-sponsored group, is behind the creation of the malware.
The malicious code’s destructive capabilities are of particular concern, should critical infrastructure equipment become infected.
The agency said that the “aggressor country” intended to use VPNFilter to bring down the chlorination station, destroying the supply of liquid chlorine for the country’s water supply and sewer systems.
The SBU says that “continuation of the cyberattack could have led to a breakdown of technological processes and possible crash.”
However, the attack was foiled by localizing the malware and destroying it before the virus spread through the system’s network, which prevented “possible catastrophic consequences,” according to the SBU.
No further technical details were revealed.
If the attack had been successful, the consequences would have been serious for Ukraine. According to local news outlets, the chlorine distillation station is the only one active in the country.
In 2015, Ukraine suffered a series of power cuts after the country’s energy grid was compromised due to cyberattacks.
It is believed that Russia may have been behind the attacks due to the use of the BlackEnergy Trojan, which is similar in design to VPNFilter.