The US Department of Justice conducted an operation in March that successfully removed malware known as “Cyclops Blink” from vulnerable Internet-connected firewall devices, the Department said on Wednesday. The operation disrupted control of the Russian Federation’s main intelligence agency (GRU) over a global botnet of thousands of infected devices.
The Cyclops Blink Malware specifically targeted WatchGuard and Asus network devices. A threat actor known as Sandworm (which the US government previously attributed to the GRU) used the malware to command and control the underlying botnet. By disabling the command and control mechanism, the Justice Department was able to disconnect Sandworm from the network of bots.
However, WatchGuard and Asus devices that acted as bots could remain vulnerable to Sandworm if device owners do not take the remedial actions advised by WatchGuard and Asus, the Justice Department warned.
Several DOJ agencies, as well as the US National Security Agency and the UK’s National Cyber Security Center, issued an advisory for the first time on February 23 identifying the Cyclops Blink malware. The advisory explained that the malware appeared to have surfaced as early as June 2019, as the apparent successor to another Sandworm botnet that brought down the DOJ in 2018.
On the same day as the advisory, WatchGuard released discovery and recovery tools for WatchGuard device users. Later, Asus released its own guidelines to help owners of compromised Asus devices. By mid-March, however, a majority of the originally compromised devices remained infected.
The DOJ’s subsequent operation removed the malware from all remaining identified command-and-control devices. The operation used direct communication with the Sandworm malware. Other than collecting the serial numbers of the underlying command-and-control devices via an automated script and copying the malware, the DOJ did not seek or collect any information from the relevant victim networks, the department said. In addition, the operation did not involve FBI communications with bot devices.
The DOJ operation demonstrated “the department’s commitment to disrupt nation-state hacking using all the legal tools at our disposal,” Assistant Attorney General Matthew G. Olsen said in a statement. “By working closely with WatchGuard and other government agencies in this country and the UK to analyze the malware and develop detection and remediation tools, we are demonstrating the power that public-private partnerships bring to our country’s cybersecurity. “