The Federal Bureau of Investigation (FBI) said it shut down a Russian GRU botnet malware through a court-authorized operation before it could be weaponized.
The botnet targeted Firebox firewall hardware used by many small and midsized businesses from WatchGuard Technologies.
The DOJ said the operation involved copying and removing “malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”
U.S. Attorney General Merrick Garland also disclosed that US authorities worked with WatchGuard to analyze the malware, remove it before it could be used, and create detection and remediation techniques.
Russian GRU botnet malware linked to Sandworm APT
FBI said the botnet used Cyclops Blink malware associated with Sandworm (also Voodoo Bear) team. The group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
“This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses,” FBI Director Christopher Wray, said in a press statement.
The Cyclops Blink malware emerged in 2019 as a replacement for the VPNFilter malware that the Justice Department brought down through another court-authorized action in 2018.
On Feb 3, 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued an advisory on Cyclops Blink malware targeting WatchGuard and Asus networking devices.
Similarly, researchers from Trend Micro warned in March 2022 that the Cyclops Blink malware targeted devices in non-critical infrastructure organizations to build infrastructure for targeting high-value targets. The botnet C2 devices were active for about three years, according to the cybersecurity firm.
The DOJ warned that the Russian GRU botnet targeted devices within the victim’s computer network enabling the threat actor to conduct malicious activity against all computers on the network.
Feds did not spy on host networks while removing Russian GRU botnet malware
The FBI’s ability to access devices through a court order could raise concerns about potential spying.
However, the DOJ assured the victims that it did not search or collect any other information while removing the malware. Additionally, the FBI did not communicate with the botnet devices during the operation.
Instead, the Department of Justice (DOJ) said the operation focused on disrupting botnet devices used as command and control servers. The operation also closed the external management ports the threat actor used to connect to the firewall devices.
The DOJ explained that although the operation succeeded in severing Russian GRU control over infected devices, it “did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide.”
The DOJ said U.S. authorities also worked with WatchGuard to analyze the malware and develop “detection tools and remediation techniques.”
However, the department warned that the previously infected devices remained vulnerable until their owners implement WatchGuard’s mitigations and recommendations.
DOJ vows to tackle Russian GRU state-sponsored activity
The Justice Department reiterated that it would exhaust all legal avenues to protect computer networks from Russian GRU cyber activity.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said.
Olsen lauded the public-private partnership and intergovernmental collaboration that strengthens the national cyber security posture. He promised to confront nation-state hacking regardless of the form it takes.
Assistant Director Bryan Vorndran of the FBI’s Cyber Division said the operation was an example of the FBI’s ability to tackle cyber threats through unique authorities, abilities, and partnerships.
“As the lead domestic law enforcement and intelligence agency, we will continue pursuing cyber actors that threaten the national security and public safety of the American people, our private sector partners, and our international partners,” Vorndran said.
“The takedown shows the West is capable of detecting and swatting Russian attacks and is not ‘afraid’ of what Russian government and allies may attempt,” Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi, said. “It’s no doubt an important milestone of stopping Russian cyber attacks, but the message to Russian forces is clear: You’re on the losing side – reconsider who and what you’re fighting for.”