US and UK expose new Russian malware targeting network devices

cyclops

The US and UK governments have published a joint report today detailing a new malware strain developed by Russia’s military cyber-unit that had been deployed in the wild since 2019 and used to compromise home and office networking devices.

Agencies like the UK National Cyber Security Center (NCSC), the US Federal Bureau of Investigations (FBI), the US Cybersecurity Infrastructure and Security Agency (CISA), and the US National Security Agency (NSA) have contributed to the joint report, complete with a technical analysis of the new malware, which they named Cyclops Blink [PDF].

Officials said they’ve first seen the malware deployed in the wild in June 2019 and has been primarily detected targeting WatchGuard Firebox firewalls, but officials don’t exclude having the ability to infect other types of networking equipment too.

The UK and US officials said the malware was developed by a threat actor known as Sandworm, previously linked to a cyber-unit of the GRU, Russia’s military intelligence division.

Officials described Cyclops Blink as “professionally developed” and said the malware uses a modular structure that allows its operators to deploy second-stage payloads to infected devices.

Details about how the malware is deployed on infected systems and what are the capabilities of its second-stage modules are not included in the report.

VPNFilter replacement?

Instead, officials said they believe Sandworm developed Cyclops Blink to replace the botnet created using the VPNFilter malware, which was sinkholed by the FBI in late May 2018.

At the time, US officials and security firms said that Russian state-sponsored hackers were preparing to use the VPNFilter botnet to launch DDoS attacks in the hopes of disrupting the IT infrastructure of the UEFA Champions League 2018 final, which was scheduled to take place that year in Kyiv, Ukraine.

The timing of the joint report on Cyclops Blink report today is not an accident and comes as Russia is days away from sending troops into Ukraine, an operation that many security experts believe will be accompanied by cyber-attacks meant to disrupt Ukrainian IT infrastructure.

While it is unclear if Cyclops Blink is expected to play any role in these possible attacks, US and UK officials believed it was a good idea to expose this botnet today in an attempt to limit its usefulness to Russian officials.

Cyclops Blink has been targeting devices since 2019. Reboots and updates alone won't remove the #malware, but our joint advisory shares resources to help.@NCSC, @FBI, @CISAgov and @NSAgov #teamwork https://t.co/7qtA5HKWsz

— Rob Joyce (@NSA_CSDirector) February 23, 2022

The report contains technical details that cybersecurity firms will be able to use to create detection rules for Cyclops Blink activity.

According to Nate Warfield, Chief Technology Officer at cybersecurity firm Prevailion, there are more than 25,000 WatchGuard Firebox firewalls currently connected to the internet, although it’s unclear how many of these are infected.

However, only around a dozen of these are located in Ukraine, meaning they can’t be used by Sandworm operators to pivot into the internal networks of many Ukrainian companies, yet this doesn’t mean the other Cyclops Blink devices can’t be used for other types of operations, such as DDoS attacks.

Coincidentally, the joint report came out just as several Ukrainian government sites were under a DDoS attack, but there is no evidence yet that Cyclops Blink played any role in these attacks or that it can even carry out these types of operations.

⚠️ Confirmed: #Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine and Cabinet of Ministers websites have just been impacted by network disruptions; the incident appears consistent with recent DDOS attacks pic.twitter.com/EVyy7mzZRr

— NetBlocks (@netblocks) February 23, 2022

The post US and UK expose new Russian malware targeting network devices appeared first on The Record by Recorded Future.

Article Link: US and UK expose new Russian malware targeting network devices