US and UK expose new Russian malware targeting network devices
Image: Artem Kovalev
Catalin Cimpanu February 23, 2022

US and UK expose new Russian malware targeting network devices

US and UK expose new Russian malware targeting network devices

  • NCSC, FBI, CISA, and NSA publish report on new Cyclops Blink malware.
  • The US and UK agencies said the malware was developed by Sandworm, a cyber-unit of the GRU Russian millitary intelligence service.
  • Officials said the malware has targeted WatchGuard Firebox firewalls since at least June 2019.

The US and UK governments have published a joint report today detailing a new malware strain developed by Russia’s military cyber-unit that had been deployed in the wild since 2019 and used to compromise home and office networking devices.

Agencies like the UK National Cyber Security Center (NCSC), the US Federal Bureau of Investigations (FBI), the US Cybersecurity Infrastructure and Security Agency (CISA), and the US National Security Agency (NSA) have contributed to the joint report, complete with a technical analysis of the new malware, which they named Cyclops Blink [PDF].

Officials said they’ve first seen the malware deployed in the wild in June 2019 and has been primarily detected targeting WatchGuard Firebox firewalls, but they don’t exclude having the ability to infect other types of networking equipment too.

The UK and US officials said the malware was developed by a threat actor known as Sandworm, previously linked to a cyber-unit of the GRU, Russia’s military intelligence division.

Officials described Cyclops Blink as “professionally developed” and said the malware uses a modular structure that allows its operators to deploy second-stage payloads to infected devices.

Details about how the malware is deployed on infected systems and what are the capabilities of its second-stage modules are not included in the report, but in its own security advisory on the matter, WatchGuard said they believe the attackers used a vulnerability in old Firebox firmware as the entry point, a vulnerability the company patched in May 2021.

VPNFilter replacement?

Both US and UK officials said they believe that the Sandworm group developed Cyclops Blink to replace s previous botnet created using the older VPNFilter malware, botnet that the FBI sinkholed in late May 2018.

At the time, US officials and security firms said that Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks in the hopes of disrupting the IT infrastructure of the UEFA Champions League 2018 final, which was scheduled to take place that year in Kyiv, Ukraine.

The timing of the joint report on Cyclops Blink report today is not an accident and comes as Russia is days away from sending troops into Ukraine, an operation that many security experts believe will be accompanied by cyber-attacks meant to disrupt Ukrainian IT infrastructure.

While it is unclear if Cyclops Blink is expected to play any role in these possible attacks, US and UK officials believed it was an opportune moment to expose the Cyclops Blink botnet, as a way to limit its usefulness to Russian military intelligence.

The report contains technical details that cybersecurity firms will be able to use to create detection rules for Cyclops Blink activity.

Because the malware also burrows deep inside a device’s firmware, a simple device restart or factory reset won’t remove it from infected firewalls. For this, WatchGuard has released tools to detect the malware on its devices, and steps on how to clean compromised systems.

According to Nate Warfield, Chief Technology Officer at cybersecurity firm Prevailion, there are more than 25,000 WatchGuard Firebox firewalls currently connected to the internet. WatchGuard estimated the number of infected systems at around 1%, which would put the botnet size at around 250 devices.

However, only around a dozen of these 25,000 systems are located in Ukraine, meaning they can’t be used by Sandworm operators to pivot into the internal networks of many Ukrainian companies, yet this doesn’t mean the other Cyclops Blink devices can’t be used for other types of operations, such as DDoS attacks.

Coincidentally, the joint report came out just as several Ukrainian government sites were under a DDoS attack, but there is no evidence that Cyclops Blink played any role in these attacks or that it can even carry out these types of operations.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.