The US Justice Department announced on 06 April 2022 a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the US government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
The malware called “sandworm” is infecting users’ systems, this malware is very dangerous and can be able to make the entire PC infected. This malware travel through a PowerPoint file that refers to an.INF file, INF is a Windows extension given to a special sort of information file that is used while software setup.
The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said the Assistant Attorney General of the Justice Department’s National Security Division. “By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”
“Through close collaboration with WatchGuard (https://www.watchguard.com) and our law enforcement partners, we identified, disrupted, and exposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around the world,” said the US Attorney for the Western District of Pennsylvania. “Such activities are not only criminal but also threaten the national security of the United States and its allies. My office remains committed to working with our partners in the National Security Division, the FBI, foreign law enforcement agencies, and the private sector to defend and maintain our nation’s cybersecurity.”
“This operation is an example of the FBI’s commitment to combatting cyber threats through our authorities, capabilities, and coordination with our partners,” said the Assistant Director of the FBI’s Cyber Division. “As the lead domestic law enforcement and intelligence agency, we will continue pursuing cyber actors that threaten the national security and public safety of the American people, our private sector partners, and our international partners.”
“The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computers and launch attacks that threaten Americans’ safety, security, and confidence in our digitally connected world,” said the Special Agent in Charge of the FBI’s Pittsburgh Field Office. “The FBI has an unwavering commitment to combat and disrupt Russia’s efforts to gain a foothold inside US and allied networks.”
On 23 February 2022, the United Kingdom’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency released an advisory identifying the Cyclops Blink malware, which targets network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS). These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks. As explained in the advisory, the malware appeared to have emerged as early as June 2019 and was the apparent successor to another Sandworm botnet called VPNFilter, which the Department of Justice disrupted through a court-authorized operation in 2018.
On the same day as the advisory, WatchGuard released detection and remediation tools for users of WatchGuard devices. The advisory and WatchGuard’s guidance both recommended that device owners deploy WatchGuard’s tools to remove any malware infection and patch their devices to the latest versions of available firmware. Later, ASUS released its own guidance to help compromised ASUS device owners mitigate the threat posed by Cyclops Blink malware. The public and private sector efforts were effective, resulting in the successful remediation of thousands of compromised devices. However, by mid-March, a majority of the originally compromised devices remained infected.
Following the initial court authorization on 18 March 2022, the department’s operation was successful in copying and removing the malware from all remaining identified C2 devices. It also closed the external management ports that Sandworm was using to access those C2 devices, as recommended in WatchGuard’s remediation guidance (a non-persistent change that the owner of an affected device can reverse through a device restart). These steps had the immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices. However, WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps. The department strongly encourages network defenders and device owners to review the 23 February 2022 advisory and WatchGuard and ASUS releases.
The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices.
Prior to the 23 February 2022 advisory, the FBI has been attempting to provide notice to owners of infected WatchGuard devices in the United States and, through foreign law enforcement partners, abroad. For those domestic victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims. As required by the terms of the court authorization, the FBI has provided notice to the owners of the domestic C2 devices from which the FBI copied and removed the Cyclops Blink malware.
The efforts to disrupt the Cyclops Blink botnet were led by the FBI’s Pittsburgh, Atlanta and Oklahoma City Field Offices, the FBI Cyber Division, the National Security Division’s Counterintelligence and Export Control Section, and the US Attorney’s Office for the Western District of Pennsylvania. Assistance was also provided by the Criminal Division’s Computer Crime and Intellectual Property Section and Office of International Affairs, as well as the US Attorney’s Office for the Eastern District of California.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments