John Martin Tech 04.06.2022 22:Apr PM EDT

FBI Successfully Removes Threat of Russian Malware 'Cyclops Blink' Before Weaponization

The FBI successfully prevented the further spread of the "Cyclops Blink" malware that has been terrorizing ASUS and WatchGuard devices. Believing that the malware came from a Russia-linked threat actor dubbed Sandworm, the court authorized U.S. law enforcement to disrupt the botnet orchestrating the infection.

The Russian malware has been a menace since its discovery in February before the FBI stepped in to stop the threat. The court-authorized operation was conducted in March.

To the FBI's delight, Russian control over the botnet was disrupted before it can be weaponized.

How Sandworm Orchestrated the Cyclops Blink Malware Infection

The culprit behind the cyberattack, Sandworm, used a sophisticated mechanism to facilitate the Cyclops Blink malware infection.

According to a National Cyber Security Centre (NCSC) advisory, Cyclops Blink is a "large-scale modular malware framework which is affecting network devices." In simpler terms, Sandworm uses a large-scale "botnet" to attach itself to devices for malicious purposes later on.

For those unfamiliar with the meaning of botnet, it is just slang for "robot network." As the name implies, the robot network is basically a network of "slave" computers or devices all connected to one master computer that can control and use them for malicious uses like a distributed denial-of-service attack (DDoS), attempting password cracks, stealing network traffic, or upload and download files to the infected device.

In Cyclops Blink's case, Sandworm is in possession of the master computer and the slave computers are WatchGuard and ASUS devices, primarily the former.

Luckily, the FBI neutralized the threat before the slave computers can be weaponized. But U.S. authorities did not delete the malware entirely. They simply copied the master computer's commands and ordered the slave computers to uninstall the Cyclops Blink malware and block any future installation via firewall settings manipulation.

Cyclops Blink Malware Origins

The Cyclops Blink malware appears to have been existing since 2019 and believed by the NCSC to be the successor to another similar botnet VPNFilter, also belonging to Sandworm.

VPNFilter was also the subject of a court-authorized disruption in 2018.

Sandworm must have learned from the previous botnet's demise because Cyclops Blink was identified to be a more advanced version. "The Sandworm actor, which the UK and US have previously attributed to the Russian GRU, has replaced the exposed VPNFilter malware with a new more advanced framework," said the National Cyber Security Centre.

The Russian GRU is the Main Directorate of the General Staff of the Armed Forces of the Russian Federation. In other words, Sandworm and its malicious activities are believed to be state-sponsored by the Russian government.

Top intelligence agencies around the world have identified these incidents as orchestrated by Sandworm:

The BlackEnergy disruption of Ukrainian electricity (2015)
Industroyer (2015)
NotPetya (2017)
Attacks against the Winter Olympics and Paralympics (2018)
A series of disruptive attacks against Georgia (2019)

Law enforcement agencies are still on the alert to what other cybersecurity threats pop out. With the help of private entities, they are hopeful that they can disrupt the next one.

"The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computer and launch attacks that threaten Americans' safety, security and confidence in our digitally connected world," said Special Agent in Charge, Mike Nordwall of the FBI's Pittsburgh Field Office.

To know more about botnets, see the video below.