“Russia’s Sandworm Hackers Have Built a Botnet of Firewalls”
WIRED, February 23, 2022
By Andy Greenberg
“Western intelligence services are raising alarms about Cyclops Blink, the latest tool at the notorious group’s disposal.”
Any appearance of a new tool used by Russia’s notorious, disruptive Sandworm hackers will raise the eyebrows of cybersecurity professionals braced for high-impact cyberattacks. When US and UK agencies warn of one such tool spotted in the wild just as Russia prepares a potential mass-scale invasion of Ukraine, it’s enough to raise alarms.
On Wednesday, both the UK National Cybersecurity Center and the US’s Cybersecurity and Infrastructure Security Agency released advisories warning that they—along with the FBI and NSA–have detected a new form of network device malware being used by Sandworm, a group tied to some of the most destructive cyberattacks in history and believed to be a part of Russia’s GRU military intelligence agency.
The new malware, which the agencies call Cyclops Blink, has been found in firewall devices sold by networking hardware company Watchguard since at least June 2019. But the NCSC warns that “it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware,” that it may have already infected other common network routers used in homes and businesses, and that the malware’s “deployment also appears indiscriminate and widespread.”
Cybersecurity firm Trend Micro later released its own findings on Cyclops Blink, which include evidence that one version of the malware infected Asus routers. Trend Micro also found that the malware had infected at least 200 victims across a long list of countries, including the United States, India, Italy, Canada, and Russia.
It remains unclear whether Sandworm has been hacking network devices for purposes of espionage, building out its network of hacked machines to use as communications infrastructure for future operations, or targeting networks for disruptive cyberattacks, says Joe Slowik, a security researcher for Gigamon and a longtime tracker of the Sandworm group. But given that Sandworm’s past history of inflicting digital chaos includes destroying entire networks inside Ukrainian companies and government agencies, triggering blackouts by targeting electrical utilities in Ukraine, and releasing the NotPetya malware there that spread globally and cost $10 billion in damage, Slowik says even an ambiguous move by the hackers merits caution—particularly as another Russian invasion of Ukraine looms.
“It definitely seems like Sandworm has continued the path of compromising relatively large networks of these devices for purposes unknown,” Slowik says. “There are a number of options available to them, and given that it’s Sandworm, some of those options could be concerning, and bleed into deny, degrade, disrupt, and potentially destroy, though there’s no evidence of that yet.”
About the Author:
Andy Greenberg is a senior writer for WIRED, covering security, privacy, and information freedom. He’s the author of the book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. The book and excerpts from it published in WIRED won a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, two Deadline Club Awards from the New York Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Greenberg works in WIRED’s New York office.
See also in Internet Salmagundi:
- “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers” by Andy Greenberg. Published November 5, 2019.
- “New Sandworm malware Cyclops Blink replaces VPNFilter” (PDF) Advisory by National Cyber Security Centre. February 23, 2022.
- “Cyclops Blink malware sets up shop in ASUS routers: Kremlin-backed Sandworm has its VPNFilter replacement, it seems” by Jessica Lyons Hardcastle. The Register, March 18, 2022.