- NCSC, FBI, CISA, and NSA publish report on new Cyclops Blink malware.
- The US and UK agencies said the malware was developed by Sandworm, a cyber-unit of the GRU Russian millitary intelligence service.
- Officials said the malware has targeted WatchGuard Firebox firewalls since at least June 2019.
The US and UK governments have published a joint report today detailing a new malware strain developed by Russia’s military cyber-unit that had been deployed in the wild since 2019 and used to compromise home and office networking devices.
Agencies like the UK National Cyber Security Center (NCSC), the US Federal Bureau of Investigations (FBI), the US Cybersecurity Infrastructure and Security Agency (CISA), and the US National Security Agency (NSA) have contributed to the joint report, complete with a technical analysis of the new malware, which they named Cyclops Blink [PDF].
Officials said they’ve first seen the malware deployed in the wild in June 2019 and has been primarily detected targeting WatchGuard Firebox firewalls, but officials don’t exclude having the ability to infect other types of networking equipment too.
The UK and US officials said the malware was developed by a threat actor known as Sandworm, previously linked to a cyber-unit of the GRU, Russia’s military intelligence division.
Officials described Cyclops Blink as “professionally developed” and said the malware uses a modular structure that allows its operators to deploy second-stage payloads to infected devices.
Details about how the malware is deployed on infected systems and what are the capabilities of its second-stage modules are not included in the report.
Instead, officials said they believe Sandworm developed Cyclops Blink to replace the botnet created using the VPNFilter malware, which was sinkholed by the FBI in late May 2018.
At the time, US officials and security firms said that Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks in the hopes of disrupting the IT infrastructure of the UEFA Champions League 2018 final, which was scheduled to take place that year in Kyiv, Ukraine.
The timing of the joint report on Cyclops Blink report today is not an accident and comes as Russia is days away from sending troops into Ukraine, an operation that many security experts believe will be accompanied by cyber-attacks meant to disrupt Ukrainian IT infrastructure.
While it is unclear if Cyclops Blink is expected to play any role in these possible attacks, US and UK officials believed it was a good idea to expose this botnet today in an attempt to limit its usefulness to Russian officials.
The report contains technical details that cybersecurity firms will be able to use to create detection rules for Cyclops Blink activity. The malware also burrows deep inside the device firmware, meaning that a simple device restart or factory reset won’t remove it from infected firewalls. in addition, WatchGuard has also released tools to detect the malware on its devices, along with advice on how to deal with compromised systems.
According to Nate Warfield, Chief Technology Officer at cybersecurity firm Prevailion, there are more than 25,000 WatchGuard Firebox firewalls currently connected to the internet, although it’s unclear how many of these are infected.
However, only around a dozen of these are located in Ukraine, meaning they can’t be used by Sandworm operators to pivot into the internal …….