Select Page

Intelligence agencies in the U.K. and the U.S. disclosed details of a new botnet malware called Cyclops Blink that’s been attributed to the Russian-backed Sandworm hacking group and deployed in attacks dating back to 2019.

“Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices,” the agencies said. “In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread.”

The joint government advisory comes from the U.K. National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S.

Sandworm, aka Voodoo Bear, is the name assigned to a highly advanced adversary operating out of Russia that’s known to be active since at least 2008. The hacking group has displayed a particular focus on targeting entities in Ukraine and is alleged to be behind the Ukrainian energy sector attacks that caused widespread power outages in late 2015.

The threat actor, in October 2020, was formally linked to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

VPNFilter was first documented by Cisco Talos in May 2018, describing it as a “sophisticated modular malware system” that shares overlaps with the Sandworm’s BlackEnergy malware and features capabilities to support intelligence-collection and destructive cyber attack operations.

images from Hacker News