US Action Disrupts Russian Botnet Cyclops Blink

The US authorities claim to have disrupted a notorious botnet controlled by the Russian state after a court-authorized operation in March.

Cyclops Blink was first discovered in February after UK and US government experts traced it back to the infamous Sandworm team, thought to be part of the Russian GRU’s Main Centre for Special Technologies (GTsST).

That group has been linked to destructive attacks in the past, including the BlackEnergy campaign that targeted Ukrainian power plants in 2015, as well as the infamous NotPetya campaign of 2017.

Thought to be the successor of a similar botnet known as VPNFilter, Cyclops Blink is modular malware designed to infect internet-connected devices via malicious firmware updates. Currently, WatchGuard and Asus devices are thought to have been targeted.

However, US attorney general Merrick Garland claimed yesterday the US was able to copy and remove the malware from infected devices used for command and control (C&C).

“Fortunately, we were able to disrupt this botnet before it could be used. Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices,” he told a press conference.

“We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”

The Department of Justice (DoJ) operation was necessary because, despite vendor-issued warnings, the majority of devices remained compromised as of mid-March.

As well as removing Cyclops Blink malware from these devices, officers also closed the ports Sandworm was using to manage them remotely. However, they may still be vulnerable to exploitation unless owners follow vendor advice on remediation, the DoJ added.

The FBI had been contacting device owners since February, both directly, via their ISPs, and through foreign law enforcement partners.

“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said assistant attorney general Matthew Olsen of the Justice Department’s National Security Division.

“By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.”

What’s Hot on Infosecurity Magazine?