This article is more than 1 year old

Ukraine claims it blocked VPNFilter attack at chemical plant

We won't say who we think it is but we'll point with our elbow...

A Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware.

Ukraine's SBU Security Service said it thwarted an attack on network equipment belonging to the LLC Aulska chlorine plant in Auly, about an hour away from Dnepr City in Dnipropetrovsk, central Ukraine, Interfax Ukraine reports.

Kiev's counterintelligence arm was quick to blame Russia for the assault on the plant, which provides chlorine to water treatment and sewage plants throughout Ukraine. According to the company's website, its products are used by consumers in 23 regions of Ukraine, Moldova and Belarus.

"Specialists of the cyber security service established minutes after [the incident] that the enterprise's process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia," the SBU said on its Facebook page on Wednesday. "The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident."


Advanced VPNFilter malware menacing routers worldwide


The attack was allegedly geared at disrupting the stable operation of the plant, which provides NaClO (sodium hypochlorite, aka liquid chlorine) for water treatment. Elemental chlorine is commercially produced from a high concentration solution of NaCl (sodium chloride - aka common salt) in water through electrolysis.

Workers at the chlorine company worked with its telco providers and cyber security experts at the SBU to thwart the purported attack, the agency said. VPNFilter, first detected in May, is estimated to have hijacked half a million Internet of Things devices such as routers and network-attached storage (NAS) devices.

The malware is capable of snooping on encrypted web traffic as well as establishing a backdoor on compromised devices.

The code of some versions of the malware overlaps with versions of the BlackEnergy malware, a cyber-espionage nasty previously linked to attacks on Ukrainian power distribution stations. "The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols," Cisco Talos, the security team that discovered the malware, warned in May. "Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."

Western intel agencies as well as Ukraine's SBU have blamed Russia - an more specifically APT 28, a unit of Russian military intelligence, GRU - for creating and distributing VPNFilter. ®

More about

More about

More about


Send us news

Other stories you might like