FBI Dismantles Cyclops Blink Botnet of Sandworm Group Working for Russian Intelligence Agency (GRU)

Sicherheit (Pexels, allgemeine Nutzung)[English]The U.S. Department of Justice (DOJ) has just announced the dismantling of the Cyclops Blink botnet, which is attributed to the cyber group Sandworm. Sandworm is a name for a hacking group working for the Russian intelligence service (GRU). Here is the currently available information released by the DOJ.


Advertising

I became aware of the issue via the following tweet, which refers to a press conference held by the U.S. Department of Justice.

There is more information in this DOJ press release. According to it, the FBI succeeded in disrupting the Cyclops Blink botnet attributed to the Russian Federation Intelligence Agency (GRU) and specifically its Sandworm group as early as March 2022 following a court order. The operation, conducted in March 2022, involved copying the Cyclops Blink botnet and removing malware from the botnet's command and control devices. This reportedly disrupted the GRU's control over thousands of infected devices worldwide.

Sandworm Cyclops Blink botnet destroyed

In the court-approved, a two-tiered global botnet with thousands of infected network hardware devices was destroyed. The botnet was under the control of the threat actor known to security researchers as Sandworm, which the U.S. government previously attributed to the Main Intelligence Service of the General Staff of the Armed Forces of the Russian Federation (GRU).

The operation copied and removed malware from vulnerable Internet-connected firewall devices that Sandworm used to control the underlying botnet. Although the operation did not involve accessing the Sandworm malware on the thousands of victim devices around the world, known as "bots," disabling the C2 mechanism separated those bots from control by the Sandworm C2 devices. Victims must take additional steps to address the vulnerability and prevent malicious actors from continuing to exploit unpatched devices.


Advertising

The action succeeded after court approval by working closely with WatchGuard and other government agencies in the U.S. and U.K. to analyze the malware and develop detection and remediation measures.

Background on the Cyclops Blink botnet

On Feb. 23, the U.K. National Cyber Security Center, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency released a notice of the Cyclops Blink malware that targets network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS) (see also the articles at the end of the article).

Meanwhile, this malware or botnet is attributed to the Sandworm (Voodoo Bear) state hacking group. The goal of the attacks is to conduct espionage, denial-of-service attacks and data destruction. Cyclops Blink botnet can steal confidential data and attack other networks. After all, the network devices mentioned above are components of a victim's computer network.

Thus, the Sandworm group is potentially able to perform malicious activities against all computers within those networks. The malware appears to have surfaced as early as June 2019 (see Russian Sandworm Group Responsible for Cyclops Blink Botnet) and is the apparent successor to another Sandworm botnet called VPNFilter, which the U.S. Department of Justice destroyed in 2018 through a court-approved operation.

The Cyclops Blink malware, meanwhile, has infected about 1 percent of network firewall devices from network device manufacturer Watchguard. The malware is capable of abusing a legitimate firmware update mechanism in infected devices in such a way that it is persistent, meaning it survives reboots. Guidance on this topic can be found in the blog post Cyclops blink malware targets WatchGuard network firewalls.

Similar articles
Russian Sandworm Group Responsible for Cyclops Blink Botnet
Trend Micro and ASUS warns: Cyclops Blink Botnet targets ASUS Routers
Cyclops blink malware targets WatchGuard network firewalls


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).