The US authorities took action against a global botnet known as ‘Cyclops Blink’ comprised of thousands of infected network hardware devices worldwide that was allegedly controlled by the Sandworm advanced persistent threat group (APT) believed to be a unit of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
As part of the operation conducted in March 2022, the FBI copied and removed the Cyclops Blink malware from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet.
The Cyclops Blink malware has been circulating since June 2019 and appears to be a successor of another Sandworm botnet VPNFilter dismantled in 2018.
“However, WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps. The department strongly encourages network defenders and device owners to review the Feb. 23 advisory and WatchGuard and ASUS releases,” the US Department of Justice warned in a press release.
“The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and, other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices,” the agency added.
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!