Select Page

The U.S. Department of Justice (DoJ) announced that it neutralized Cyclops Blink, a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

“The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underlying botnet,” the DoJ said in a statement Wednesday.

In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing contact and preventing the hacking group from using the infected devices to commandeer the botnet.

The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S. described the botnet as a replacement framework for the VPNFilter malware that was exposed and sinkholed in May 2018.

Cyclops Blink, which is believed to have emerged as early as June 2019, primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group leveraging a previously identified security vulnerability in WatchGuard’s Firebox firmware as an initial access vector.

images from Hacker News