FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence Directorate

FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence Directorate

According to US authorities, the Cyclops Blink botnet was controlled by the Russian Federation’s Main Intelligence Directorate (GRU) and had compromised thousands of devices worldwide.

A court-authorized operation against a Russian-controlled botnet infecting hardware devices with Cyclops Blink malware was launched in March 2022 after its detection in February 2022.

The UK and US authorities tracked its operators as the infamous Sandworm group, supposedly affiliated with the Russian GRU’s Main Center for Special Technologies. This group was previously linked to several destructive attacks, such as the infamous NotPetya attack in 2017 and the BlackEnergy campaign in 2015, where Ukraine’s power plants were targeted.

Cyclops Blink is a modular malware believed to be the successor of the VPNFilter botnet. The malware infects internet-connected devices through malicious firmware updates. It currently targets ASUS and WatchGuard devices. Cyclops Blink maintains persistence via the legitimate device firmware update process that’s directly linked to APT groups affiliated with the Russian government.

The FBI took down a massive botnet of hardware devices in partnership with WatchGuard, and the malware was removed, which had been targeting firewall appliances and SOHO networking devices. It is worth noting that the malware targeted devices made by WatchGuard Technologies and ASUS.

WatchGuard has released detection and remediation tools recommendations for device owners, urging them to patch their devices to the latest version of the firmware. Furthermore, ASUS has also released guidelines to help compromised ASUS device owners mitigate the Cyclops Blink threat.

Although thousands of compromised devices were successfully remediated during the operation, the US Department of Justice warned that many originally compromised devices still remain infected.

US Department of Justice Statement

In a press release, the US Justice Department stated that the operation was conducted last month to disrupt a “two-tiered global botnet of thousands of infected network hardware devices.” The C2 mechanism was also disabled, which severed the bots from the Sandworm C2 devices’ control. Moreover, authorities have also closed the ports used by Sandworm to manage the botnet remotely.

US attorney general Merrick Garland claimed they had successfully disrupted the botnet before the operators could use it and disabled the GRU’s control over the infected devices before weaponizing it. 

“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal.”

Assistant Attorney General Matthew Olsen
  1. FBI and NSA expose Russian State hacking tool for Linux
  2. US jails Russian hacker for 8 years over botnet, bank fraud
  3. Fancy Bear’s VPNfilter malware is back with 7 new modules
  4. FBI seizes VPNFilter botnet domain that infected 500,000 routers
  5. New Electrum DDoS botnet steals $4.6M after infecting 152,000 hosts

Related Posts