Russian Sandworm Group Responsible for Cyclops Blink Botnet

Sicherheit (Pexels, allgemeine Nutzung)[German]For several days now, a new malware has been infecting network devices around the world and incorporating affected machines Cyclops Blink botnet. This botnet can steal confidential data and attack other networks. Meanwhile, this malware or botnet is attributed to the government hacking group Sandworm (Voodoo Bear). Here is some information about this malware.


I received the information about the Cyclops Blink botnet from several sources. In addition to the following tweet from our colleagues at Bleeping Computer, Arstechnica also picked up on the topic here.

Cyclops Blink Botnet

The malware, called Cyclops Blink, infects home and small office network devices around the world. The malware was unknown until recently and is attributed to the Russian espionage and cyber attack group Sandworm (also known as Voodoo Bear). This state hacking group threatens on industrial control systems. The group uses a tool called Black Energy, which has been linked to attacks on electricity and power generation companies. The goal of the attacks is to conduct espionage, denial-of-service attacks and data destruction.

Some security researchers believe the threat actor is linked to the compromise of Ukraine's power grid in 2015 and a distributed denial-of-service attack prior to Russia's invasion of Georgia. In any case, the group is blamed for the 2008 DDoS attacks in Georgia and the 2015 Ukrainian power grid outage.

The UK's National Cyber Security Centre (NCSC ), and from the U.S. the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have previously attributed the Sandworm actor to Russia's main GRU (military intelligence) center for special technologies GTsST.

The Sandworm hacking group is blamed for attacks on Ukraine's power supply in 2015, Industroyer in 2016, NotPetya in 2017, attacks on the 2018 Winter Olympics and Paralympics, and a series of disruptive attacks against Georgia in 2019. The U.S. Department of Justice linked the hacks to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Cyclops Blink Malware

The precursors of Cyclops Blink malware have been around for three years, with actors previously replacing VPNFilters. Security researchers found in 2018 that this malware infected around 500,000 routers in homes and small offices. It contained a true Swiss Army knife that allowed hackers to eject or manipulate traffic. In addition, the malware can monitor some SCADA protocols used by industrial control systems.


NCSC, CISA, FBI and NSA have determined that the Sandworm group is using a new Cyclops Blink malware. This NCSC document states that Cyclops Blink appears to be a replacement framework for the VPNFilter malware uncovered in 2018. The document includes a detailed analysis of the new malware..

The Cyclops Blink malware has since infected about 1 percent of network firewall devices from network device manufacturer Watchguard. The malware is capable of abusing a legitimate firmware update mechanism in infected devices in such a way that it is persistent, meaning it survives reboots. Guidance on this topic can be found in the blog post Cyclops blink malware targets WatchGuard network firewalls.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *