The U.S. Justice Department says that it has seized an internet domain controlled by a hacking group tied to Russian military intelligence that was planning a major cyberattack, possibly in Ukraine.
The U.S. move late on May 23 was aimed at breaking up what the department said was a dangerous botnet of a half-million infected computer network routers that could have allowed the hackers to take control of computers and stage destructive attacks as well as steal valuable information.
Ukraine’s main security agency earlier in the day had warned of a possible Russian cyberattack during a "large-scale" event such as the final match of the Champions League soccer tournament scheduled on May 26 in Kyiv.
FBI Assistant Director Scott Smith said the U.S. agency "has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI's work is not done."
The FBI said the botnet was set up by a hacking group variously called APT28, Pawn Storm, Sandworm, Fancy Bear, and the Sofacy Group.
The group is blamed for cyberattacks on numerous governments and sensitive targets such as power grids, the Organization for Security and Co-operation in Europe, and the World Anti-Doping Agency.
U.S. intelligence agencies last year claimed that the Russian hacking group was involved in hacking and releasing damaging information on the Democratic Party during the 2016 U.S. presidential election, and said it has engineered a number of computer network disruptions in Ukraine.
"According to cybersecurity researchers, the Sofacy Group is a cyberespionage group believed to have originated from Russia," the Justice Department said in a court filing late on May 23.
"Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value, through a variety of means," it said.
The Justice court filing did not say who was behind Sofacy Group, but U.S. intelligence in the past has linked it to Russia's GRU military intelligence agency, and numerous private computer security companies have made the same connection.
The Kremlin did not respond to a request for comment.
In blocking the group on May 23, the Justice Department said it had obtained a court warrant authorizing the FBI to seize a computer domain that is part of the command and control system of the VPNFilter botnet.
The botnet targets the routers on small home and office computers, through which it can relay orders from the botnet's controllers and intercept and reroute traffic back to them, virtually undetected by the users of a network.
The department said the operation appeared intent on staging "a variety of malicious" activities, including intelligence gathering, theft of valuable information, and destructive or disruptive attacks."
In a report released shortly before the Justice announcement, network equipment giant Cisco said the operation had infected at least 500,000 devices in at least 54 countries.
It targeted popular router brands like Linksys, MikroTik, NETGEAR, and TP-Link, Cisco said.
Cisco said the botnet has "a destructive capacity that can render an infected device unusable, which can be triggered on individual victim machines or en masse."
Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Cisco said it believes the hackers were planning to attack Ukraine.
Ukraine's SBU security service said earlier on May 23 that its experts believe Russia was planning an attack during the final game in the soccer tournament.
Ukraine has been locked since 2014 in a struggle with Russia-backed separatists in the country's east and has repeatedly been hit by cyberattacks of escalating severity.
A year ago, the NotPetya worm crippled critical systems in Ukraine, including hospitals, and caused hundreds of millions of dollars in collateral damage around the globe. Ukraine, the United States and Britain have blamed the attack on Moscow — a charge the Kremlin has denied.