In March, the Federal Bureau of Investigation said that it conducted an operation to target a major botnet operated by Russian intelligence. The operation was approved by California and Pennsylvania courts, allowing the FBI to copy and remove the Cyclops Blink malware from its command and control servers, also known as C2s, and sever the connections to thousands of compromised infected devices that were taking instructions from the servers.
On Wednesday, the Justice Department described the March operation as “successful,” but cautioned that device owners should study the first February 23 alert to safeguard their infected devices and avoid reinfection. Thousands of compromised devices have been secured by their owners since the news of Cyclops Blink’s rising threat first broke in February, according to the Justice Department, but the “majority” of infected devices were still compromised just weeks later in mid-March, justifying the court-ordered operation.
Cyclops Blink is thought to be the successor to VPNFilter, a botnet that was mostly forgotten about after being discovered by security researchers in 2018 and then targeted by a US government operation to take down its command and control servers. Sandworm, a gang of hackers working for Russia’s GRU, the country’s military intelligence organization, is responsible for both Cyclops Blink and VPNFilter. The court order “immediately prevented Sandworm from accessing these C2 devices, so destroying Sandworm’s control of the infected bot devices controlled by the remediated C2 devices,” according to the Justice Department.
“No FBI contacts with bot devices were used in this investigation,” the Justice Department stated. The Cyclops Blink botnet is capable of collecting information and conducting espionage, as well as launching distributed denial-of-service attacks that overload websites and servers with junk traffic, as well as destructive attacks that render devices inoperable and cause system and network disruptions, according to security researchers.
Sandworm has a long history of executing disruptive intrusions, including taking down the Ukrainian power system, employing malware to try to blow up a Saudi petrochemical factory, and most recently unleashing a devastating wiper against the Viasat satellite network in Ukraine and Europe. In reaction to the FBI’s operation, John Hultquist, vice president of intelligence analysis at Mandiant, said:
Sandworm is Russia’s most advanced cyber-attack capacity, and it’s one of the entities we’ve been most worried about since the invasion. We are concerned that they could be used to strike targets in Ukraine, but we are also concerned that they could strike targets in the West in retaliation for the sanctions imposed on Russia. The FBI initiated a first-of-its-kind operation in April to duplicate and remove a backdoor left by Chinese spies who had mass-hacked thousands of vulnerable Exchange servers in order to acquire contact lists and email inboxes.