U.S. Disrupts Russian Botnet
The Cyclops Blink botnet, which the U.S. has removed from vulnerable internet-connected firewall devices, been linked to the Russian hacking group Sandworm.
The U.S. government continues to carry out enforcement actions to disrupt and prosecute malicious cyber activity. Given the political climate, the fact that this week's action happens to come against a botnet distributing malware controlled by Russia’s military intelligence service can be viewed as a timely win.
Attorney General Merrick Garland disclosed in a press conference Wednesday morning that the U.S. government was able to disrupt Sandworm’s Cyclops Blink botnet, operated by Russia's GRU spy agency, before it was able to be used in attacks. Garland said "the Russian government has recently used similar infrastructure to attack Ukrainian targets" but that the U.S. was able to disrupt it before it could be used for similar purposes.
As part of the action, the United States, working with other government agencies, from here and the United Kingdom, were able to copy and remove malware from devices – firewalls and routers – that Sandworm infected and used as command and control servers.
Sandworm, perhaps the best known Russian nation state hacking group, was responsible for the BlackEnergy hack of Ukraine's electric grid in 2015, the Industroyer wiper attack in 2016, and NotPetya ransomware campaign in 2017.
Cyclops Blink, essentially a replacement framework for the VPNFilter malware that was exposed in 2018, infects networks devices, like the previously mentioned routers, internet of things devices, and network attached storage (NAS) devices.
Authorities, including the United Kingdom’s National Cyber Security Centre, CISA, the National Security Agency, and the Federal Bureau of Investigation all sounded the alarm over the malware last month, and provided details on the malware, like how it maintains persistence. The agencies also provided mitigation measures to help organizations defend against it, like tactics, techniques, and procedures associated with the MITRE ATT&CK framework.
VPNFilter was exposed back in 2018 by Cisco Talos researchers, around the same time it was spotted infecting victims in Ukraine and in North Korea, shortly before the 2018 Winter Olympics. While Cyclops Blink took over in 2019, using a new, more advanced framework, the agencies were prompted to issue a warning last month after analyzing two samples acquired by the FBI to WatchGuard devices that were absorbed into the botnet.
The attackers have mostly targeted fireboxes produced by Watchguard - small, red colored networking devices - that have been reconfigured from their default settings to open remote management interfaces, something that's opened the door to attack.
According to the Department of Justice, after obtaining authorization from the courts, the enforcement action was taken out on March 18.
"The department’s operation was successful in copying and removing the malware from all remaining identified C2 devices. It also closed the external management ports that Sandworm was using to access those C2 devices," an announcement, released after Garland’s press conference, says. “These steps had the immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices.”
If you have any equipment manufactured by WatchGuard or ASUSTek, whose devices may also be implicated, you may not in the clear yet though.
While both companies have released tools and guidance to remove the malware, the DOJ says devices that may have acted like bots may still be vulnerable if users don't follow the outlined actions.
Users, if they haven't already, should follow the instructions detailed by Watchguard and Asus, apply the requisite updates and if necessary, use its detection and remediation tools to ensure their devices aren't affected.