FBI Disrupts the Russia-Linked Cyclops Blink Botnet

By Richard Anderson

The massive Cyclops Blink botnet that was being used to target firewall appliances and SOHO networking devices has been neutralized by the U.S. Federal Bureau of Investigation (FBI).

The botnet consisted of an army of devices that had been infected by Cyclops Blink malware, which infects Internet-connected devices through malicious firmware updates. The botnet was first identified by the US and UK governments in February this year and is believed to be the successor to the VPNFilter botnet. The Cyclops Blink botnet has been used since at least 2019 and mostly targets WatchGuard Firebox firewalls and ASUS routers.

The botnet is believed to be operated by the Advanced Persistent Threat (APT) actor known as Sandworm. Sandworm is widely believed to be part of the Main Centre for Special Technologies (GTsST) of Russia’s GRU and has previously been linked with numerous cyberattacks in Ukraine, including the NotPetya wiper malware attacks in 2017 and the BlackEnergy malware attacks that targeted power plants in Ukraine in 2015.

The FBI obtained a court order on March 18, 2022, permitting the disruption of the botnet. The FBI partnered with WatchGuard to copy and remove the Cyclops Blink malware from the infected devices that were being used as command-and-control servers. The FBI notified the owners of compromised devices in the United States prior to removing the malware, and notifications were sent to overseas owners of compromised devices through its overseas law enforcement partners.

According to the announcement by the U.S. Department of Justice, the operation did not remove Cyclops Blink malware from all devices that were controlled by Sandworm under its C2 infrastructure, as the operation only disabled the command-and-control mechanism. However, by severing the link to the command-and-control infrastructure, those devices can no longer be controlled by Sandworm.

FBI Director Chris Wray warned all owners of WatchGuard Firebox and ASUS devices that acted as bots that they could remain vulnerable unless steps are taken to mitigate the threat. The owners of those devices have been advised to immediately implement the recommended diagnosis, mitigation, and remediation plan suggested by WatchGuard, which includes updating the firmware of the devices to the latest version.

“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said assistant attorney general Matthew Olsen of the National Security Division of the Department of Justice. “By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.”

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news