The most probable cause for spreading the malware could be the lack of proper authentication and use of default credentials on the routers.
The malware also includes an auto-destruct feature that renders the malware and software on infected devices inoperable.
Cisco says it found code overlap with BlackEnergy, a malware strain that has been used to cripple Ukraine's power grid in the winter of 2015 and 2016. The malware used to infect the devices, in this case, has been termed VPNFilter.
The company has also notified the manufacturers of those devices about the threat and shared their research with worldwide law enforcement and the Cyber Threat Alliance.
"The stage 2 malware first sets up the working environment by creating a modules folder (/var/run/vpnfilterm) and a working directory (/var/run/vpnfilterw)".
Security researchers estimate that at least 500,000 network devices scattered across 54 countries were unwittingly part of the botnet. These products make particularly good targets because they're rarely protected by antivirus solutions and other security tools.
Dubbed "VPNFilter", the sophisticated modular malware framework allows for an attacker to scan the internet for vulnerable systems and quickly infect devices that are both extremely popular and hard to patch.
Real Madrid win Champions League
Meanwhile, Real had its own injury scary just minutes after when right back Dani Carvajal left the game with a leg injury. Meanwhile, Madrid manager Zinedine Zidane tempered expectations.
Cisco reported that over 500,000 routers made by Linksys, MikroTek, Netgear, and TP-Link were infected with the malware. Known by several names, including PT28, Pawn Storm, Sandworm, Sednit and the Sofacy Group, the hackers are blamed for engineering attacks on the Organization for Security and Cooperation in Europe, the World Anti-Doping Agency, the US Democratic Party as well as several internet disruptions in Ukraine. The malware can then be used to steal communications and launch attacks on others.
The U.S. Justice Department says that it has seized an Internet domain controlled by a hacking group tied to Russian military intelligence that was planning a major cyberattack, possibly in Ukraine.
This multistage, modular platform malware persists through a reboot in its initial stage.
The company reported a sudden increase in VPN Filter infections in Ukraine from May 8 onwards, and Ukraine's SBU security service has already expressed concern Russian Federation will conduct a cyber attack ahead of the Champions League final match taking place in Kiev this weekend.
The ToKnowAll.com domain seized Wednesday hosted a backup server for uploading a second stage of malware to already-infected routers in the event a primary method, which relied on Photobucket, failed.
The botnet targets the routers on small home and office computers, through which it can relay orders from the botnet's controllers and intercept and reroute traffic back to them, virtually undetected by the users of a network. Disabling remote administration options is also recommended.
"The department said the operation appeared intent on staging "a variety of malicious" activities, including intelligence gathering, theft of valuable information, and destructive or disruptive attacks". It allows researchers or law enforcement officers to monitor the IP addresses of infected devices that connect and to prevent them from receiving malware or malicious instructions. Cisco said it could sever internet hundreds of thousands of internet connections at once.