- NCSC, FBI, CISA and NSA release report on new Cyclops Blink malware.
- US and UK agencies said the malware was developed by Sandworm, a cyber unit of Russia’s GRU military intelligence service.
- Officials said the malware has been targeting WatchGuard Firebox firewalls since at least June 2019.
The US and UK governments today released a joint report detailing a new strain of malware developed by Russia’s military cyber unit that had been deployed in the wild since 2019 and used to compromise home and business network devices.
Agencies such as the UK’s National Cyber Security Center (NCSC), the US Federal Bureau of Investigations (FBI), the US Cybersecurity Infrastructure and Security Agency (CISA) and the National United States Security Agency (NSA) contributed to the joint report, complete with a technical analysis of the new malware, which they named Cyclops Blink [PDF].
Officials said they first saw the malware deployed in the wild in June 2019 and was primarily detected targeting WatchGuard Firebox firewalls, but officials are not ruling out the possibility of other types as well. network equipment.
UK and US officials said the malware was developed by a threat actor known as Sandworm, previously linked to a cyber unit of the GRU, Russia’s military intelligence division.
Officials described Cyclops Blink as “professionally developed” and said the malware uses a modular structure that allows its operators to deploy second-stage payloads to infected devices.
Details on how the malware is deployed to infected systems and the capabilities of its second-stage modules are not included in the report.
VPN filter replacement?
Instead, officials said they believe Sandworm developed Cyclops Blink to replace the botnet created using the VPNFilter malware, which was gobbled up by the FBI in late May 2018.
At the time, US officials and security firms said Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks in hopes of disrupting the computer infrastructure of the final. of the 2018 UEFA Champions League, which was to take place this year in Kyiv, Ukraine.
The timing of the joint Cyclops Blink report today is no accident and comes as Russia is days away from sending troops to Ukraine, an operation that many security experts say will will be accompanied by cyberattacks aimed at disrupting Ukraine’s IT infrastructure.
While it’s unclear whether Cyclops Blink should play a role in these possible attacks, US and UK officials felt it was a good idea to expose this botnet today in an effort to limit its usefulness to Russian officials.
The report contains technical details that cybersecurity companies can use to create detection rules for Cyclops Blink activity. The malware also burrows deep into the device’s firmware, which means that a device reboot or factory reset will not remove it without a complete reimaging of the infected product.
According to Nate Warfieldchief technology officer of cybersecurity firm Prevailion, there are more than 25,000 WatchGuard Fireboxes currently connected to the internet, though it’s unclear how many of them are infected.
However, only a dozen of them are located in Ukraine, which means that they can’t be used by Sandworm operators to swing into the internal networks of many Ukrainian companies, but that doesn’t mean that other devices Cyclops Blink cannot be used. for other types of operations, such as DDoS attacks.
Coincidentally, the joint report came out just as several Ukrainian government sites were under DDoS attack, but there is still no evidence that Cyclops Blink played a role in these attacks or that it could even carry out these types of operations.