The wave of cyber justice continues to crash down on Russian threat actors, as the U.S. Department of Justice (DOJ) announced an operation that successfully disrupted a botnet controlled by the Russian Federation's Main Intelligence Directorate (GRU) known as "Cyclops Blink."
Cyclops Blink was a two-tiered global botnet of thousands of infected network hardware devices, according to the DOJ. The botnet was controlled by a threat actor known as Sandworm, whom the U.S. government has connected to the GRU.
The DOJ discusses the operation in a recent statement:
"The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as 'bots,' the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control."
Assistant Attorney General Matthew Olsen of the DOJ's National Security Division said this was made possible due to working closely with WatchGuard and other government agencies in the U.S. and U.K., highlighting the strength that public-private partnerships can bring to cybersecurity.
How was Cyclops Blink shutdown?
Back in February, the U.K.'s National Cyber Security Centre (NCSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) released a security advisory identifying Cyclops Blink malware that targeted network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS).
The DOJ says these network devices are typically located on the perimeter of the victim's network, giving Sandworm the ability to conduct malicious cyber activities against all computers on those networks.
That same day, WatchGuard and ASUS released detection and remediation tools so their users could remove malware and patch their devices with the latest firmware. This resulted in the successful remediation of thousands of devices, but roughly one month later, a majority of the originally compromised devices remained infected.
The DOJ discusses the next steps the organization took:
"Following the initial court authorization on March 18, the department's operation was successful in copying and removing the malware from all remaining identified C2 [command and control] devices. It also closed the external management ports that Sandworm was using to access those C2 devices, as recommended in WatchGuard's remediation guidance (a non-persistent change that the owner of an affected device can reverse through a device restart).
These steps had the immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm's control of the infected bot devices controlled by the remediated C2 devices."
Although the operation was successful, the DOJ notes that WatchGuard and ASUS devices may remain vulnerable to Sandworm if device owners do not take the recommended detection and remediation steps.
For more information on Cyclops Blink and how it was disrupted, read the statement from the DOJ.