US authorities take down GRU-controlled Cyclops Blink botnet

Russia-backed Sandworm group was using the malware on WatchGuard Firebox firewall appliances and multiple ASUS router models

The US government announced on Wednesday that it had successfully deactivated a massive botnet of hardware devices controlled by the Sandworm hacking group, which is believed to be run by Unit 74455 of the Russian Main Intelligence Directorate (GRU).

The Federal Bureau of Investigation (FBI) worked with security vendor WatchGuard in a court-approved operation in March 2022 to copy and remove the Cyclops Blink malware from vulnerable internet-connected firewall devices that Sandworm exploited for command and control (C2) of the underlying botnet.

According to the US Justice Department, the operation disrupted the GRU's control over thousands of infected devices in multiple countries.

"This court-authorised removal of malware deployed by the Russian GRU demonstrates the department's commitment to disrupt nation-state hacking using all of the legal tools at our disposal," said Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division.

"The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes."

FBI Director Chris Wray said the botnet was taken down following close cooperation with WatchGuard, which was involved in analysing the malware and creating detection tools and remediation techniques.

In February, the US and UK cybersecurity agencies published a joint advisory, warning that Sandworm group was using the new Cyclops Blink malware on WatchGuard Firebox firewall appliances and multiple ASUS router models.

Because these devices often sit on the perimeter of a victim's network, they provide Sandworm with the capacity to perform a variety of malicious activities, such as espionage or the deployment of more severe malware, against machines within those networks.

The joint advisory by US and UK agencies described Cyclops Blink as 'professionally developed' malware that employs a modular structure to enable attackers to distribute second-stage payloads to infected devices.

The advisory warned that the malware was capable of downloading and executing files on the devices, while its modular nature allows implementing additional capabilities as required.

The official said they believed the Sandworm group (also known as Voodoo Bear, BlackEnergy, and TeleBots) developed the new malware to replace a prior botnet that was formed using the earlier VPNFilter malware and was sinkholed by the FBI in May 2018.

The Justice Department said that their operation did not include access to the Sandworm malware on the thousands of individual infected devices worldwide, and that deactivating the C2 mechanism isolated these bots from being controlled by the Sandworm C2 devices.

Before removing the Cyclops Blink malware, the FBI alerted owners of affected devices in the United States and overseas through international law enforcement partners.

Following notices provided by the FBI, victims in the United States whose contact information could not be located were contacted by their providers.

WatchGuard has published detailed instructions for restoring infected Firebox appliances to a clean condition and updating them to the newest Fireware OS version to avoid further infections.

ASUS has also issued its own instructions to assist users of infected ASUS devices in mitigating the threats presented by the Cyclops Blink malware.