The US Justice Department today revealed details of a court-authorized take-down of command-and-control systems the Sandworm cyber-crime ring used to direct network devices infected by its Cyclops Blink malware.
The move follows a joint security alert in February from US and UK law enforcement that warned of WatchGuard firewalls and ASUS routers being compromised to run Cyclops Blink. This botnet malware – technical breakdown here [PDF] – allows the equipment to be remote controlled to carry out attacks on behalf of its masterminds.
Previously, Uncle Sam said the Sandworm crew worked for the Russian Federation’s GRU espionage nerve-center, which handles foreign intel operations.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division.
“By working closely with WatchGuard and other government agencies in this country and the UK to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”
During the March 22 court-authorized operation, the Feds removed malicious code from “thousands” of firewall appliances that Sandworm compromised to act as command-and-control systems (C2) for the Cyclops Blink botnet. This cut off communications between the cyber-crew and their bots on infected equipment.
The operation did not, however, access the remote-control Cyclops Blink malware on thousands of individual devices worldwide. The Feds took a note of the C2 devices’ serial numbers using an automated script, and a copy of the malicious code. Agents “did not search for or collect other information from the relevant victim networks,” according to the Justice Department.
The operation also did not involve any FBI communications with bot devices, the Feds added.
On February 23, the UK National Cyber Security Center and several US agencies, including CISA, the FBI and the NSA, released an advisory identifying Cyclops Blink, which the organizations said looked to be Sandworm’s replacement for VPNFilter.
As readers likely remember, VPNFilter was the 2018 software nasty that targeted routers and storage devices. And Sandworm is the crew that carried out several high-profile attacks including the 2015 and 2016 cyber-assaults on Ukraine’s electrical grid, NotPetya in 2017, and the French presidential campaign email leak that same year.
In the joint February alert, the agencies noted that Cyclops Blink targeted WatchGuard and ASUS hardware. Because these devices usually sit on the perimeter of a victim’s network, they give Sandworm the ability to conduct all manner of malicious activity, such as espionage or deploying more destructive malware, against computers within those networks.
An additional alert by Trend Micro suggested Cyclops Blink was an attempt to turn these compromised devices into C2 servers for future attacks.
The same day as the governments’ security advisory, WatchGuard released detection and remediation tools for its devices and recommended customer deploy the tools immediately to remove any remote-control malware. Shortly after, ASUS released its own guidance. According to the Justice Department, by mid-March, a majority of the compromised appliances were still infected with Cyclops Blink.
These WatchGuard and ASUS devices that acted as bots need to be patched and cleaned out of malicious code.
“The department strongly encourages network defenders and device owners to review the February 23 advisory and WatchGuard and ASUS releases,” the Feds advised. ®