The US Justice Department has announced that the FBI has disrupted the Cyclops Blink botnet, which they say was under the control of the Sandworm group – a threat actor that has been previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
“The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as ‘bots,’ the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control,” the US DOJ stated.
What happened and what should affected device owners do?
Details about Cyclops Blink were shared in late Fabruary by the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC).
The malware targeted networking devices (firewalls and routers) by WatchGuard and ASUS.
“These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” the DOJ stated. But, according to Attorney General Merrick B. Garland, they were able to disable the GRU’s control over those devices before the botnet could be weaponized.
The two agencies consider the malware to be a replacement for the VPNFilter malware, previously used by the Sandworm group to rope various network devices into a botnet.
Unfortunately, the Cyclops Blink malware can’t be flushed from infected devices by simply rebooting the device, so owners of WatchGuard and ASUS devices are advised to check whether they have been compromised and, if they have, to perform a set of actions to clean up the device and prevent a Cyclops Blink infection at a later date.
WatchGuard’s guidance on what to do can be found here, and ASUS’s here.
The FBI accessed the domestic C2 devices to copy and remove the malware, but provided notice to the owners of their action (as required by the court). They have also closed the external management ports that Sandworm was using to access those C2 devices – “a change that the owner of an affected device can reverse through a device restart.”
“The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and, other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices,” the DOJ stated.
“Since prior to the Feb. 23 advisory, the FBI has been attempting to provide notice to owners of infected WatchGuard devices in the United States and, through foreign law enforcement partners, abroad. For those domestic victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims.”