DOJ Disrupts Russia-Linked APT's Malware, 'Cyclops Blink'Operation Removed Malware From Thousands of Vulnerable Devices
The Justice Department has announced that it has successfully disrupted "Cyclops Blink," a botnet controlled by the Russia-linked threat actor Sandworm, aka Voodoo Bear. The court-authorized operation was conducted in March and removed the botnet from thousands of infected devices worldwide (see: Analysis: Russia's Sandworm Hacking Campaign).
Cyclops Blink is a malicious Linux ELF executable - a standard binary format on operating systems for Linux. The malware, which has been active since June 2019, affects small office/home office network devices, especially those from network security vendor WatchGuard.
Operation 'Copy and Remove'
The court authorized the FBI operation on March 18. The Justice Department called the operation "successful" after it had copied and removed the malware from all remaining identified C2 devices.
"The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as "bots," the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control," according to the DOJ.
The threat group, Sandworm, which is linked to the Russian GRU's Main Center for Special Technologies, introduced Cyclops Blink as a replacement for the VPNFilter malware, which was exposed by the FBI in 2018 (see: New Malware in Russia-Linked Sandworm's Portfolio).
VPNFilter had infected routers made by companies including Linksys, Microtik, Netgear, QNAP and TP-Link in 54 countries, including the U.S, according to a report by technology firm Cisco Talos.
The DOJ on Wednesday also warns that the victims must take additional steps to remediate the vulnerability and prevent malicious actors from exploiting unpatched devices.
"Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and exposed yet another example of the Russian GRU's hacking of innocent victims in the United States and around the world," says U.S. Attorney Cindy K. Chung of the Western District of Pennsylvania. "Such activities are not only criminal but also threaten the national security of the United States and its allies."
The DOJ says that the operation also closed the external management ports that Sandworm was using to access those C2 devices, a step recommended in WatchGuard’s remediation guidance, which had an immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices.
"WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps. The department strongly encourages network defenders and device owners to review the Feb. 23 advisory and WatchGuard and ASUS releases," the DOJ says.
The FBI leveraged direct communications with the Sandworm malware on the identified C2 devices and only collected the underlying C2 devices' serial numbers through an automated script and by copying the C2 malware.
"It did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices," the DOJ says. "Since prior to the Feb. 23 advisory, the FBI has been attempting to provide notice to owners of infected WatchGuard devices in the United States and, through foreign law enforcement partners, abroad."
For domestic victims whose contact information was not publicly available, the DOJ says that the FBI contacted the victim's internet service provider and has asked them to provide notice to the victims.
"As required by the terms of the court authorization, the FBI has provided notice to the owners of the domestic C2 devices from which the FBI copied and removed the Cyclops Blink malware," DOJ says.
WatchGuard previously released detection and remediation tools for users of WatchGuard devices. The advisory and WatchGuard's guidance both recommended that device owners deploy WatchGuard’s tools to remove any malware infection and patch their devices to the latest versions of available firmware.
ASUS released its own guidance to help compromised ASUS device owners mitigate the threat posed by Cyclops Blink malware.
"The public and private sector efforts were effective, resulting in the successful remediation of thousands of compromised devices. However, by mid-March, a majority of the originally compromised devices remained infected," the DOJ says.
On Feb. 23, the U.K. National Cyber Security Center, U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency released an alert identifying the Cyclops Blink malware, targeting network devices manufactured by WatchGuard Technologies and ASUS.
The alert said the network devices are located on the perimeter of a victim’s computer network that provides Sandworm with the potential ability to conduct malicious activities against all computers within those networks.
It also contains details about Cyclops Blink, as well as information on the tactics, techniques and procedures and indicators of compromise associated with the threat group.
"Sandworm is the premier Russian cyberattack capability and one of the actors we have been most concerned about in light of the invasion. We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the West in retribution for the pressure being placed on Russia," says John Hultquist, vice president of intelligence analysis at Mandiant.