US Attorney General Merrick Garland announced on Wednesday that US officials have disrupted a global botnet of thousands of infected devices allegedly controlled by the Russian military.
Garland said the court-sanctioned operation was directed against Sandworm — a cyber unit of Russia’s GRU military intelligence service — and Cyclops Blink, an advanced modular botnet linked to the group.
In a statement, the Justice Department said the operation “copied and removed malware from vulnerable internet-connected firewalls that Sandworm used for command and control (C2) of the underlying botnet.”
“Although the operation did not involve accessing the Sandworm malware on the thousands of underlying victim devices around the world, known as ‘bots’, disabling the C2 mechanism separated these bots from controlling Sandworm devices. C2,” the DOJ explained.
Assistant Attorney General Matthew Olsen said US officials were working with law enforcement in the UK and network security firm WatchGuard to analyze the malware and develop detection and remediation tools.
In February, the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the UK’s National Cyber Security Center jointly issued an advisory on the Cyclops Blink malware, which targets network devices manufactured by WatchGuard and ASUSTek. Computer (ASUS).
“These network devices are often located on the perimeter of a victim’s computer network, providing Sandworm with the potential ability to conduct malicious activity against all computers on those networks,” the Department of Justice explained.
“As explained in the advisory, the malware appears to have emerged as early as June 2019 and was the apparent successor to another Sandworm botnet called VPNFilter, which the Department of Justice halted through a court-authorized operation in 2018.”
WatchGuard and ASUS have released tips on how to detect and fix malware-related issues. Even though thousands of compromised devices have been repaired, the DOJ said “the majority of originally compromised devices remained infected.”
A replacement botnet
The operation announced on Wednesday indicated that US and UK officials believe they have successfully shut down the external management ports that Sandworm was using to access compromised devices.
The DOJ noted that despite their actions, some WatchGuard and ASUS devices may still be vulnerable if owners do not implement the companies’ published recommendations.
“Since prior to the February 23 advisory, the FBI has attempted to notify owners of infected WatchGuard devices in the United States and, through foreign law enforcement partners, abroad” , U.S. officials said.
“For domestic victims whose contact information was not publicly available, the FBI contacted vendors (such as a victim’s Internet service provider) and asked those vendors to notify the victims.”
In February, US and UK officials said they believed the Sandworm group had created Cyclops Blink to replace another botnet built using an older malicious VPNFilter botnet that the FBI had shut down in late May 2018.
US officials and security firms said at the time that Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks on the IT infrastructure used for the UEFA Champions final. League 2018, which was to take place that year in Ukraine. capital of Kyiv.
Prevailion chief technology officer Nate Warfield told The Record in February that there were more than 25,000 WatchGuard Fireboxes connected to the internet.
WatchGuard estimated the number of infected systems to be around 1% of the 25,000, meaning the botnet grew to a size of around 250 devices.