Cyclops Blink: US and UK uncover new malware used by Russian Sandworm to target network devices

US and UK agencies uncover new malware used by Russia-backed Sandworm group to target network devices

Image:
US and UK agencies uncover new malware used by Russia-backed Sandworm group to target network devices

Allows attackers to distribute second-stage payloads to infected devices

US and UK cybersecurity agencies have published a joint Cybersecurity Advisory (CSA) detailing a new malware strain being used by a notorious Russia-backed hacking group to target home and office networking devices.

The malware, known as Cyclops Blink, is linked to the Sandworm hacking gang, which is thought to be run by Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the Russian Armed Forces.

The official said they believe the Sandworm group (also known as Voodoo Bear, BlackEnergy, and TeleBots) developed the new malware to replace a prior botnet that was formed using the earlier VPNFilter malware and was sinkholed by the FBI in May 2018.

The UK National Cyber Security Centre (NCSC) said the deployment of Cyclops Blink could enable Sandworm to remotely access networks.

The new malware is thought to have been active since June 2019. So far, Sandworm has mostly used it on WatchGuard devices.

WatchGuard Technologies is a network security firm that develops technologies to defend computer networks from outside threats.

The joint advisory described Cyclops Blink as 'professionally developed' malware that uses a modular structure to enable attackers to distribute second-stage payloads to infected devices. It is capable of downloading and executing files on the devices, while its modular nature allows implementing additional capabilities as required.

Cyclops Blink persists after a reboot and throughout legal firmware changes, the agencies warned.

In its own advisory released on Wednesday, WatchGuard said that Cyclops Blink may have affected a limited number of WatchGuard firewall appliances. The firm said that the attackers likely leveraged a weakness in previous Firebox firmware as an entry point - the vulnerability that was patched in May 2021.

WatchGuard claims to have developed a remediation for Cyclops Blink and says it is working closely with the US FBI, CISA, DOJ and the UK's NCSC on the issue.

'Firewall appliances are not at risk if they were never configured to allow unrestricted management access from the internet,' it said.

'Restricted management access is the default setting for all WatchGuard's physical firewall appliances.'

There is no proof of data exfiltration from the company or its customers, according to WatchGuard.

The joint advisory by UK and US authorities also details steps for identifying and removing a Cyclops Blink infection, as well as mitigation guidance to assist organisations.

The warning, according to Mandiant, is a reminder of the potential devastation that could be inflicted by Sandworm, which has been accused of carrying out the disastrous NotPetya attack on Ukraine in 2017.

In May 2020, the NSA also warned American organisations of a Russian hacking campaign by the Sandworm group, exploiting a bug in commonly used email software to target private firms and organisations.

The same year, the NCSC accused Russian GRU's Unit 74455GRU of attempting to disrupt 2020 Olympic and Paralympic Games which were scheduled to take place in 2020 but were postponed because of the pandemic.

The NCSC said Unit 74455 was involved in cyber reconnaissance operations against sponsors, organisers and logistics suppliers for 2020 Olympic Games and that malicious activities had continued for months before the Organising Committee postponed the event.