The US Department of Justice (DOJ) has announced that an FBI-led operation disrupted the Cyclops Blink botnet in March. The operation successfully removed the Cyclops Blink malware from internet-connected firewall devices. The botnet is believed to be operated by a group known as Sandworm (also known as Unit 74455), an alleged Russian cyber military unit. Many cyberattacks are associated with Sandworm, including attacks on Ukraine’s critical infrastructure and NotPetya ransomware. The unit is also believed to have interfered in the 2017 French presidential elections, as well as carried out the cyberattack on the 2018 Winter Olympics opening ceremony.

The Cyclops Blink botnet was first publicly revealed in February this year when the US and UK governments warned that WatchGuard firewall devices were being attacked. The Cyclops Blink malware specifically targeted WatchGuard and Asus network devices. While it was publicly revealed only in February, the botnet is believed to have begun operations as early as June 2019, likely as a successor to a similar botnet the DOJ took down four years ago.

Both WatchGuard and Asus released guidance and remediation tools to help affected devices immediately after the revelation by the US and UK governments. But the majority of compromised devices remained infected nonetheless, prompting DOJ to act.

“The same day as the advisory, WatchGuard released detection and remediation tools for users of WatchGuard devices. The advisory and WatchGuard’s guidance both recommended that device owners deploy WatchGuard’s tools to remove any malware infection and patch their devices to the latest versions of available firmware. Later, ASUS released its own guidance to help compromised ASUS device owners mitigate the threat posed by Cyclops Blink malware. The public and private sector efforts were effective, resulting in the successful remediation of thousands of compromised devices. However, by mid-March, a majority of the originally compromised devices remained infected,” the DOJ has said.

Following court authorization, the department carried out an operation that removed the malware from all remaining identified command and control (C2) devices that Sandworm used to control the botnet. Furthermore, it also closed the external management ports that Sandworm was using to access those C2 devices.

“These steps had the immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices,” the DOJ said.

However, the DOJ also warned that WatchGuard and Asus devices that acted as bots might remain vulnerable to Sandworm if no action is taken by the device owners.

No information/data was accessed by the FBI

The DOJ stressed that issuing the commands did not permit the FBI to search, view, or retrieve content/data on a victim’s device.

“The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and, other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices”.