Joint Cybersecurity Advisory: New Sandworm Malware Cyclops Blink Replaces VPNFilter

The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, the National Security Agency (NSA), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), have just released a joint Cybersecurity Advisory regarding a threat actor known as Sandworm (a.k.a., Voodoo Bear, Static Kitten, et. al.) that has been observed using a new malware, referred to in the advisory as Cyclops Blink. Government agencies have previously attributed the Sandworm actor to Russian intelligence services. Sandworm has been linked to past cyber attacks, such as the BlackEnergy disruption of the Ukrainian electric grid in 2015 and the NotPetya campaign in 2017.

According to the advisory, “Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices.” The advisory summarizes the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated TTPs used by Sandworm. Finally, recommended mitigations are provided to help organizations defend against this malware. Read the full advisory at CISA here.