Another One for the Good Guys – U.S. Government Disrupts Russian Cyclops Blink Botnet Prior to it Being Deployed

Yesterday, the Department of Justice (DOJ) announced the disruption of the Cyclops Blink botnet before it could be used for malicious activity. The malware, dubbed Cyclops Blink, targets WatchGuard Firebox firewall appliances and multiple ASUS router models and has reportedly been operated by the Russian-backed Sandworm group since at least June 2019. Cyclops Blink allows threat actors to establish persistence on a device via firmware updates, providing remote access to compromised networks. The malware is modular allowing it to be easily upgraded to target new systems. Sandworm threat actors have been active since the mid-2000s and are linked to some of the most prolific cybersecurity incidents over the past decade including the NotPetya ransomware strain that afflicted the global community in 2017.

“The bot network we disrupted was built by the GRU—the Russian government’s military intelligence agency, stated FBI Director Chris Ray. “Sandworm, had implanted … Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses.” The FBI disrupted the botnet by copying and removing malware from vulnerable internet-connected firewall devices that Sandworm employed for command and control (C2) of the underlying botnet. The disabling of the C2 mechanism severed victim devices from the Sandworm C2 devices’ control. However, according to the DOJ, “WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps. The department strongly encourages network defenders and device owners to review the Feb. 23 advisory and WatchGuard and ASUS releases.” Read more at the Department of Justice or at BleepingComputer.