US disrupts botnet operated by Russian intelligence

The US Justice Department disrupted a global botnet of thousands of infected network hardware devices controlled by infamous threat actor Sandworm.

Sandworm is attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).

During the disruption operation authorized by the court, the malware known as Cyclops Blink was copied and removed from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.

Disabling C2 severed bots from the Sandworm C2 devices’ control. The operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide. Therefore, law enforcement warns victims to take additional steps to remediate the vulnerability and prevent malicious actors from further exploiting unpatched devices.

“Such activities are not only criminal but also threaten the national security of the United States and its allies,” US Attorney Cindy K. Chung for the Western District of Pennsylvania said.

In February, an advisory identified Cyclops Blink malware targeted devices manufactured by WatchGuard and ASUS.

“These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” it said.

The malware appeared to have emerged as early as June 2019 and was the apparent successor to another Sandworm botnet called VPNFilter, disrupted in 2018.

“WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps,” the Department of Justice said, recommending network defenders and device owners review the advisory.

More from Cybernews:

How do 'smash and grab' cyberattacks help Ukraine in waging war?

UK retailer partially shuts down following a disruptive cyberattack

Russia-linked Hydra, the world's largest darknet marketplace, shut down and seized

Don't let crooks cash in on conflict culture at work, study urges

'Resilient' gang traded card fraud for ransoms, says report

Meta accused of temporarily blocking hashtags related to the Bucha massacre

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked