The US Department of Justice (DOJ) has announced that they have successfully eradicated the Cyclops Blink malware that attacked vulnerable internet-connected firewall devices of WatchGuard and Asus tech firms. This operation interrupted the Russian Federation’s Main Intelligence Directorate (GRU)’s control over the botnet that infected thousands of devices.
Previously attributed to Russia’s GRU, the Sandworm threat group is behind the campaign that targeted the routers and devices of WatchGuard and Asus, wherein they utilised the Cyclops Blink malware for command and control.
Disabling the threat group’s command and control mechanism allowed DoJ to remove the malware from the compromised WatchGuard and Asus devices and disrupt Sandworm’s operations.
However, the agency had warned that the impacted devices might still be prone and vulnerable to Sandworm and its underlying malware if the device owners fail to apply measures and remediations provided by the two tech firms.
Several agencies under the DoJ, including the US National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC), first issued a public advisory regarding the Russian malware last February 23, explaining that the malware emerged as a successor to another halted Sandworm botnet.
Upon the release of the advisory, WatchGuard provided its clients with the detection and remediation tools that they needed to execute to protect themselves from the threat, followed immediately by Asus. Despite the release of the remediation tools, many device owners were still infected.
DoJ’s succeeding operation had effectively eradicated the Cyclops Blink malware and disrupted the threat group’s operations. Nonetheless, the agency had not collected information from the victims’ networks and did not involve the FBI regarding bot devices communications.
From an attorney’s statement, they explained that the DoJ’s operation had demonstrated the agency’s commitment to disrupting nation-state hacking campaigns using all legal tools from their end. They also added that by actively working with the two affected companies, WatchGuard and Asus, along with other relevant groups, they had analysed the malware well and developed the needed detection and remediation tools.