Cyclops Blink, a global botnet controlled by the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU), has been disrupted by the US Justice Department.
The world is full of botnets, sometimes controlled by criminals looking to deploy them in vast DDoS attacks that can be powerful enough to cripple a business or an essential service. Many of these botnets are made of compromised Internet of Things devices, sometimes even internet routers and access points.
This latest operation from the DOJ is actually part of an international effort to bring down a botnet made of thousands of compromised devices worldwide under the control of a group named Sandworm. In the past, the US government has said Sandworm was actually controlled by the GRU.
“Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and exposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around the world,” said US Attorney Cindy K. Chung for the Western District of Pennsylvania.
“Such activities are not only criminal but also threaten the national security of the United States and its allies. My office remains committed to working with our partners in the National Security Division, the FBI, foreign law enforcement agencies and the private sector to defend and maintain our nation’s cybersecurity.”
An advisory posted in February identified a new malware, named Cyclops Blink, that targets network devices manufactured by WatchGuard Technologies Inc (WatchGuard) and ASUSTek Computer Inc (ASUS). The affected devices are often on the perimeter of a victim’s computer network, which means criminals usually had access to the devices inside the network.
Sandworm deployed the malware as part of a firmware update and security researchers said it has likely been active since June 2019. Both companies have been quick to address the vulnerabilities and issued patches for the affected devices.
Also, the FBI contacted the owners of the domestic C2 devices from which the FBI copied and removed the Cyclops Blink malware. Overall, thousands of bots have been made inoperative, effectively crippling the botnet and disrupting the entire operation.