The FBI has announced that it has taken down a major botnet called Cyclops Blink.
US authorities have identified several command and control servers used by the botnet operators and managed to disinfect Watchguard firewalls that had been compromised by the attackers in order to turn them into command servers.
The operation took place during the month of March 2022 and made it possible to render the network inoperative.
Cyclops Blink, in the sights of the authorities since February
The malware behind this botnet had already been dissected in February 2022 in a report by the British cybersecurity agency, the NCSC. The organization then explained that it had detected that this malware had been active since at least June 2019 and that its operators were using it to attack Watchguard Firebox devices as well as machines marketed by Asus. Watchguard also issued a warning to users in February, directing them to detection and remediation tools to disinfect compromised machines.
According to Watchguard, Cyclops Blink attacked appliances that had been “configured to allow unrestricted management access from the internet”. Cyclops Blink exploited flaws in the firmware update methods of targeted devices in order to gain control and ensure that it remained present despite a restart or reset of the device. The end goal of the attackers, however, has not been identified. The malware had therefore been identified more than a month ago, but that was not enough for the American authorities. As the FBI agent behind the sanitization operation explains, authorities found that the number of machines infected with the malware had only dropped by 39%, just under a month after the first alerts about this malware were issued.
The FBI therefore chose to launch its disinfection operation: by analyzing one of the machines infected with the malware, the agents managed to identify a total of 26 command servers, of which 13 were located in the United States and 13 in other countries. ‘other countries. The authorities therefore obtained authorization from a judge allowing them to access the IP addresses of the 13 command servers based in the United States and the possibility of sending them a series of commands in order to verify the presence of the malware, disinfect the device and block access to web-based management tools to prevent possible re-infection with malware. The FBI’s strategy therefore directly targeted the command servers, without affecting all of the machines compromised by this malicious software. The total number of machines compromised by Cyclops Blink is estimated at “several thousand” by US authorities.
A family resemblance
For the American authorities, the paternity of Cyclops Blink is beyond doubt: the malware is the work of the Sandworm group, a group of cyberattackers associated with the Russian intelligence service and known to have carried out numerous cyberattacks, including a campaign that targeted several French entities in 2021. The group is also accused of being behind the NotPetya cyberattack in 2017 and several computer attacks that targeted Ukrainian networks.
But the thing that ties Cyclops Blink to Sandworm is above all the similarity in design between this new malware and another older piece of malware known as VpnFilter, also used by Sandworm and other groups of Russian cyberattackers in from previous attacks. A botnet based on VpnFilter had been taken down by US authorities in 2018, via the seizure of the domain name used to redirect traffic from the botnet’s command servers to transmit their commands. This malicious software had been used in particular during attacks carried out in Ukraine against a water filtering plant. For the FBI and for the British NCSC, Cyclops Blink was the successor to VpnFilter, which appeared a few months after the dismantling of the latter.