Russia, Kremlin

US disrupts prolific botnet controlled by Russian military, DOJ says

U.S. Attorney General Merrick Garland announced Wednesday that US officials have disrupted a global botnet of thousands of infected devices allegedly controlled by the Russian military.

Garland said the court-authorized operation was directed at Sandworm — a cyber unit of the GRU Russian military intelligence service — and Cyclops Blink, an advanced modular botnet linked to the group.

In a statement, the Justice Department said the operation “copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”

“Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as ‘bots,’ the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control,” the DOJ explained. 

Assistant Attorney General Matthew Olsen said US officials worked with law enforcement in the United Kingdom and network security company WatchGuard to analyze the malware and develop detection and remediation tools. 

In February, the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre jointly published an advisory on the Cyclops Blink malware, which targets network devices manufactured by WatchGuard and ASUSTek Computer (ASUS).

“These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” the Justice Department explained. 

“As explained in the advisory, the malware appeared to have emerged as early as June 2019, and was the apparent successor to another Sandworm botnet called VPNFilter, which the Department of Justice disrupted through a court-authorized operation in 2018.”

Both WatchGuard and ASUS released guidance on how to detect and remediate issues related to the malware. Even though thousands of compromised devices were fixed, the DOJ said “a majority of the originally compromised devices remained infected.”

A replacement botnet

The operation announced on Wednesday indicated that US and UK officials believe they were successful in closing the external management ports that Sandworm was using to access the compromised devices. 

The DOJ noted that despite their actions, some WatchGuard and ASUS devices may still be vulnerable if owners do not implement the recommendations released by the companies. 

“Since prior to the Feb. 23 advisory, the FBI has been attempting to provide notice to owners of infected WatchGuard devices in the United States and, through foreign law enforcement partners, abroad,” US officials said. 

“For those domestic victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims.”

In February, officials from the US and UK said they believe that the Sandworm group created Cyclops Blink to replace another botnet built using an older VPNFilter malware botnet that the FBI disrupted in late May 2018

US officials and security firms said at the time that Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks at the IT infrastructure used for the UEFA Champions League 2018 final, which was scheduled to take place that year in the Ukrainian capital of Kyiv.

Prevailion chief technology officer Nate Warfield told The Record in February that there are more than 25,000 WatchGuard Firebox firewalls connected to the internet. 

WatchGuard has estimated that the number of infected systems hovered around 1% of the 25,000, meaning the botnet reached a size of about 250 devices.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.