The US Department of Justice (DoJ), working alongside the FBI and various other authorities, has successfully disrupted the operation of a Russian botnet being used by Moscow’s intelligence services to distribute the so-called Cyclops Blink malware.
The Cyclops Blink malware targeted WatchGuard firewall and later Asus router devices, using them as command and control (C2) infrastructure for an underlying botnet. It was a tool of Russia’s Main Intelligence Directorate (GRU) and used by the well-known Sandworm (aka Voodoo Bear) advanced persistent threat (APT) group.
The successor to a previous Sandworm malware known as VPNFilter, Cyclops Blink was particularly dangerous because it specifically targeted firewalls at network perimeters, so when successfully exploited, it enabled Sandworm to conduct malicious activities on all the machines sitting behind the firewall.
However, it is important to note that in WatchGuard’s case, it only targeted devices that had been reconfigured from their factory default sessions to enable remote management interfaces to be accessed externally – thought to be less than 1% of the firm’s installed base.
Its existence was disclosed in a joint advisory by the UK’s National Cyber Security Centre (NCSC) and its US equivalent, the Cybersecurity and Infrastructure Security Agency (CISA) on 23 February 2022, just hours before Russia began its attack on Ukraine.
“This court-authorised removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Matthew Olsen, assistant attorney general at the DoJ’s National Security Division.
“By working closely with WatchGuard and other government agencies in this country and the UK to analyse the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cyber security. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”
The operation saw the authorities copy and remove Cyclops Blink malware from the vulnerable internet-connected WatchGuard firewalls that Sandworm was using for C2 of the underlying botnet. They also closed the external management ports that Sandworm was using to access its C2 devices, which effectively severed the victim devices from Sandworm’s control and neutralised the botnet.
The Americans said they leveraged direct communications with the Cyclops Blink malware on the C2 firewall and router devices it identified, and apart from collecting their serial numbers and copying the malware, it did not otherwise search for, or collect, other information from the victim networks it found. Nor did it communicate with any of the actual underlying bots.
The DoJ said WatchGuard’s swift attention to the issue, its release of detection and remediation tools and prompt patching by users had been highly effective. Later efforts by Asus to mitigate the threat were also effective, and together, both firms have likely successfully remediated thousands of compromised devices.
But at the same time, WatchGuard and Asus devices whose owners have not yet followed the recommended detection and remediation steps are still at risk of being compromised by Sandworm. Users of WatchGuard and Asus devices who are learning Cyclops Blink for the first time now should consult the relevant advisories and follow the advice contained. WatchGuard’s advice can be found here, and Asus’s here.