US disrupts Cyclops Blink Botnet Prior to Being used in Attacks
Reading Time: 2 minutes

According to US government officials, they have disrupted Cyclops Blink Botnet before it was used in attacks carried out by the Russian-backed Sandworm hacking group. 

The Sandworm hacking group used the malware to create the botnet around June 2019. It has been used in hacking campaigns targeting WatchGuard Firebox firewall appliances and numerous ASUS router models.

The  Cyclops Blink Botnet allows attackers to establishing persistence on the device through firmware updates enabling remote access to compromised networks. Being modular in nature the malware is easy to upgrade to target new devices and tap into new pools of exploitable hardware.

US Attorney General Merrick Garland said, “We are announcing today [..] the disruption of a global botnet controlled by the Russian military intelligence agency, commonly known as the GRU. The Russian government has recently used similar infrastructure to attack Ukrainian targets. Fortunately, we were able to disrupt this botnet before it could be used.”

He further added, “Thanks to our close work with international partners we were able to detect the infection of thousands of network hardware devices. We were then able to disable the GRU’s control over those devices before the botnet could be weaponized.”

Following the US Justice Department operations since March 18 have removed the malware from all identified Watchguard devices that acted as command and control servers. While the victims of the attacks in the US and abroad were notified by the relevant law enforcement partners. US victims with missing contact information were tracked by their providers following notices issued by the FBI.

According to FBI Director Chris Wray, “I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future until mitigated by their owners. So those owners should still go ahead and adopt Watchguard’s detection and remediation steps as soon as possible.”

He further added, “Sandworm strung them together to use their computing power in a way that would obfuscate who was really running the network and let them launch malware or to orchestrate distributed denial of service attacks, like the GRU has already used to attack Ukraine.”

About Sandworm Hacking Group

Sandworm hacking group is also known as Voodoo Bear, BlackEnergy, and TeleBots),  is behind the Cyclops Blink botnet, a Russian-sponsored hacking group active since the mid-2000s.

They are believed to be part of the Russian military hackers part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group earlier was linked with the BlackEnergy malware, the culprit behind blackouts in Ukraine in 2015 and 2016 [1, 2, 3], KillDisk wiper attacks against Ukrainian banks, and NotPetya ransomware causing billions worth of damage worldwide since June 2017.

While talking to the media John Hultquist, Mandiant VP of Intelligence Analysis said, “Sandworm is the premier Russian cyberattack capability and one of the actors we have been most concerned about in light of the invasion. We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the West in retribution for the pressure being placed on Russia.”

Related Articles:

Fake Shopping Apps Distributed by Hackers to Steal Banking Data of Malaysian Users
The Eye of Sauron – Mark Zuckerberg’s New Nickname
Axie Developer Raises $150 Million after losing nearly $625 million in a hacking incident