Cyclops Blink Malware Linked to Russian Hackers Discovered by UK and US

By Riley ThompsonTechnology News

UK and US Discover Cyclops Blink Malware Created by Russian Hackers

The governments of the United Kingdom and the United States have published a joint report detailing a new piece of malware called Cyclops Blink. This malware, active since 2019 and used to compromise home and office network devices, has been linked to the Russian hacker group Sandworm (also known as Telebots, BlackEnergy, and Voodoo Bear).

Background on Sandworm

In late 2020, the US Department of Justice charged six Russian nationals allegedly belonging to the Sandworm group. US authorities claim that all the accused serve in Unit 74455 of Russia’s Main Intelligence Directorate (GRU) and, under orders from the Russian government, carried out cyberattacks to destabilize other countries, interfere in their internal politics, and cause damage and financial losses.

The US Department of Justice connects Sandworm to attacks on Ukraine’s critical infrastructure, the French elections, the Pyeongchang Olympic Games, the creation of the NotPetya ransomware, and other incidents.

Details of the Cyclops Blink Report

The joint report on the new malware was published by the UK’s National Cyber Security Centre (NCSC), the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA).

According to the report, Cyclops Blink was first used in June 2019, primarily targeting WatchGuard Firebox firewalls, though it is capable of attacking other types of network equipment. Cyclops Blink is described as “professionally developed” malware that uses a modular structure, allowing hackers to deploy second-stage payloads on infected devices.

However, the report does not include details on exactly how the malware is implanted in infected systems or the capabilities of the second-stage payloads. According to information from WatchGuard, the attackers exploited a vulnerability in an older version of Firebox firmware, which the company fixed in May 2021.

Because the malware embeds itself deep within the firmware of compromised devices, a simple reboot or factory reset is not enough to remove the infection. To help detect and clean infected devices, WatchGuard has released special tools.

Scope and Impact

Nate Warfield, CTO of cybersecurity company Prevailion, states that there are currently more than 25,000 WatchGuard Firebox firewalls accessible on the internet. WatchGuard estimates that about 1% of these systems are infected, meaning the botnet currently consists of around 250 devices.

Officials from the US and UK say that Sandworm developed Cyclops Blink as a replacement for its previous botnet, which was built using VPNFilter malware and was compromised by the FBI in spring 2018.

  • Other channels and partners available

Leave a Reply