FBI Disrupts Russian State-Controlled Hacked Computer Network

A row of computers is seen at the FBI field office in Jacksonville, Florida. File photo courtesy of the US Federal Bureau of Investigation

April 7 (UPI) — The FBI removed malware from a network of hacked computers, which infected thousands of devices worldwide under the control of a Russian state-sponsored threat actor dubbed Sandworm.

The US Department of Justice announced on Wednesday the court-authorized disruption of the so-called “botnet”, a network of malware-infected computers controlled by a hacker, in March.

“The court-sanctioned removal of malware deployed by the Russian GRU (foreign military intelligence agency) demonstrates the department’s commitment to disrupting the nation-state hack using every legal tool at our disposal,” it said. said Attorney General Matthew G. Olsen, of the Department of Justice. The department’s National Security Division, said in a statement.

“By working closely with WatchGuard and other government agencies in this country and the UK to analyze malware and develop detection and remediation tools, together we are showing the strength that public-private partnership brings to our nation’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, whatever form it takes.”

Following the March 18 court order, the FBI successfully copied and removed malware from all remaining firewalls that Sandworm was using for the underlying network command and control servers, resulting in separated the devices from Sandworm’s control.

Still, the Justice Department has warned that devices that have been used for the malware may remain vulnerable to Sandworm if their owners don’t follow detection and remediation steps recommended by IT technology companies WatchGuard and ASUTek.

The FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency and Britain’s National Cyber ​​Security Center issued an advisory on February 23, identifying the threat actor as Sandworm or Voodoo Bear, and referring to the malware as Cyclops Blink.

On the same day the advisory was published, WatchGuard released detection and remediation tools to remove malware infections and update devices, and later ASUTek also released guidance to mitigate the threat posed. by the Cyclops Blink malware, according to the Department of Justice statement.

The advisories began to fix the problem, but the majority of command and control server devices remained compromised until the FBI shut down the external management ports that Sandworm was using to access them following the court order of March 18.

The malware was the apparent successor to another Sandworm botnet called VPNFilter, which the Justice Department halted in another court-sanctioned operation in 2018, the statement said.

The advisory also lists previous malicious cyber activities attributed to Sandworm, including the disruption of Ukrainian electricity by BlackEnergy in 2015, attacks on the 2018 Winter Olympics and Paralympics, and cyber attacks on the country of Georgia.

Source link