Researchers have linked the Cyclops Blink malware to the Russian-based hacking group known as Sandworm, released by both the UK and the UK agencies during a joint security advisory.
According to the joint forces of CISA, FBI, NCSC, and NSA’s examination of recent malware return samples, the Cyclops Blink is a substitution for the VPNFilter malware that the Sandworm group previously used.
The malware includes modules developed by its operators to download or upload files to and from its command-and-control server and can also steal the targeted device’s details and update itself.
The malware also utilises the infected devices’ authentic firmware update channels to manage access to marked systems, launches repacked firmware images and injects the targeted device with malicious payloads.
The scariest part of the Cyclops Blink malware is that it can survive a reboot and all the remaining legitimate firmware update methods.
The agencies’ advisory noted that the malware exclusively targets WatchGuard Firebox and Small Office/Home Office network devices. However, researchers stated that most of the return samples of the recently discovered malware came from compromised WatchGuard Firebox.
According to reports, Sandworm is a state-sponsored cyberespionage group of Russia that can develop sophisticated malware like Cyclops Blink.
Moreover, there are rumours that the Sandworm’s members are part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies. The cyberespionage group also can create malware for other infrastructure and firmware.
The state-sponsored group has a long history of attacks since researchers believed it was affiliated with the BlackEnergy disruption attack in Ukraine last 2015. The Sandworm group is also rumoured to be part of the attack against NotPetya in 2017.
Lately, the group was spotted by researchers deploying cyberattacks against the Paralympics and Winter Olympics in 2018 and a chain of espionage attacks against Georgia in 2019.
Researchers’ recent discovery will help increase their knowledge regarding the Sandworm group’s attack methods and malware delivery. Furthermore, the advisory suggests referring to indicators of compromise and gives guidance on how to spot possible unwanted activity on networks.
