The threat actor Sandworm – thought to be responsible for cyberattacks on Ukraine in recent years – has traded the VPNFilter malware that was exposed by Cisco Talos in 2018 for Cyclops Blink, a large-scale framework, according to a UK cybersecurity watchdog.
Sandworm used VPNFilter to conduct widespread attacks, which included the BlackEnergy disruption of the Ukrainian power supply in 2015 and an increased targeting of nationals in that country in the year it was exposed. The attacks are thought mainly to have consisted of digital traffic manipulation and destruction of targeted devices.
Also known as Voodoo Bear, Sandworm has previously been linked by the FBI to Russia’s Intelligence Directorate and is also thought to be responsible for the devastating NotPetya cyber attacks, also on Ukraine, in 2017.
Between 2018 and 2021, attacks by Sandworm using VPNFilter declined by around two-thirds, and it appears that the Russian-backed hacker group has decided to retool, said the Cybersecurity and Infrastructure Security Agency (CISA).
Cyclops Blink, in operation since 2019, is thought to run on similar lines to its predecessor, conducting widespread indiscriminate attacks on network devices.
“The malware is sophisticated and modular with basic core functionality [and is able] to beacon device information back to a server and enable files to be downloaded and executed,” said CISA. “There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.”
It added: “Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update.’ This achieves persistence when the device is rebooted and makes remediation harder. Victim devices are organized into clusters, and each deployment of Cyclops Blink has a list of command and control IP addresses and ports that it uses. All the known IP addresses to date have been used by compromised WatchGuard firewall devices.”
“Communications between Cyclops Blink clients and servers are protected under Transport Layer Security, using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the command and control layer through the Tor network.”
More from Cybernews:
Subscribe to our newsletter