FBI Disables “Cyclops Blink” Botnet Controlled by Russian Intelligence Agency
The U.S. government on Wednesday announced that it had neutralized a massive botnet of hardware devices controlled by Russia’s main intelligence agency (GRU).
In the court-approved operation, the Federal Bureau of Investigation (FBI) partnered with Watchguard to copy and remove the “Cyclops Blink” malware that serves as the hub for a large-scale botnet targeting firewall appliances and SOHO networking devices.
Cyclops Blink, which maintains persistence throughout the legitimate device firmware update process, has been directly linked to APT groups associated with the Russian government.
In a statement Wednesday, the U.S. Justice Department said the operation was conducted last month “to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm.”
The agency said the operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.
Although the operation did not involve access to the Sandworm malware on the thousands of underlying infected devices worldwide, the Justice Department said the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.
WatchGuard Technologies, which makes devices that were targeted by the malware, has released detection and remediation tools alongside recommendations for device owners to remove any malware infection and patch their devices to the latest versions of available firmware.
Device maker ASUS also released its own guidance to help compromised ASUS device owners mitigate the Cyclops Blink malware threat.
The Justice Department said the operation led to the successful remediation of thousands of compromised devices but warned that a majority of the originally compromised devices remained infected.