The US Federal Bureau of Investigation (FBI) has revealed that it conducted an operation in March to target a giant botnet controlled by Russian intelligence.
The operation was authorised by American courts in California & Pennsylvania, allowing the FBI to copy & remove the so-called Cyclops Blink malware from its command & control servers, also known as C2s, allowing the FBI to sever the connections to 1,000s of compromised infected devices that were taking instructions from the servers.
Compromised Devices
The US Justice Department announced the March operation on Wed., describing it as “successful,” but warned that device owners should still review the initial Feb. 23 advisory to secure their compromised devices & prevent reinfection.
The Justice Department stated that since the news 1st emerged about the growing threat of Cyclops Blink in Feb., 1,000s of compromised devices have been secured by the owners but justified its court-ordered operation because the “majority” of infected devices were still compromised just weeks later in mid-Mar.
Russia’s GRU
Cyclops Blink is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security researchers in 2018 & later targeted by a US Govt. operation to disrupt its Command & Control servers. Both Cyclops Blink & VPNFilter are attributed to Sandworm, a group of hackers working for Russia’s GRU, the country’s military intelligence unit.
According to the Justice Department, the court order had the “immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices.”
“The operation did not involve any FBI communications with bot devices,” the Justice Department explained.
Cyclops Blink
US authorities did not speculate on the goal of the Cyclops Blink botnet, but security researchers say the botnet is capable of collecting information & conducting espionage, launching distributed denial-of-service attacks that overload websites & servers with ‘junk’ traffic, as well as destructive attacks that make the devices inoperable & causing system & network disruptions.
Sandworm is particularly known for launching disruptive hacks over many years, including taking the Ukrainian power grid offline, using malware to try to ‘blow-up’ a Saudi Petro-chemical plant, & more recently deploying a destructive wiper targeting the Viasat satellite network over Ukraine & Europe.
Sandworm
John Hultquist, VP of Intelligence Analysis at Mandiant, outlined in response to the FBI’s operation:
‘Sandworm is the top Russian cyber-attack capability, & one of the players we have been most concerned about since the invasion. We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the West in response for the pressure being placed on Russia.’
Chinese Spies
Last April, the FBI launched the first-of-its kind operation to copy & remove a backdoor left behind by Chinese spies, who had mass-hacked 1,000s of vulnerable Exchange servers in order to steal contact lists & email inboxes.