US disrupts botnet operated by Russian intelligence
The US Justice Department disrupted a global botnet of thousands of infected network hardware devices controlled by infamous threat actor Sandworm.
Sandworm is attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).
During the disruption operation authorized by the court, the malware known as Cyclops Blink was copied and removed from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.
Disabling C2 severed bots from the Sandworm C2 devices’ control. The operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide. Therefore, law enforcement warns victims to take additional steps to remediate the vulnerability and prevent malicious actors from further exploiting unpatched devices.
“Such activities are not only criminal but also threaten the national security of the United States and its allies,” US Attorney Cindy K. Chung for the Western District of Pennsylvania said.
In February, an advisory identified Cyclops Blink malware targeted devices manufactured by WatchGuard and ASUS.
“These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” it said.
The malware appeared to have emerged as early as June 2019 and was the apparent successor to another Sandworm botnet called VPNFilter, disrupted in 2018.
“WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps,” the Department of Justice said, recommending network defenders and device owners review the advisory.
More from Cybernews:
Subscribe to our newsletter