FBI-Led Operation Disrupts Russian GRU Botnet

The FBI in March targeted and disabled the command and control communications of a botnet controlled by the infamous Russian General Staff Main Intelligence Directorate (GRU) hacking team Sandworm, the US Department of Justice (DoJ) announced today.

The botnet used WatchGuard Technologies and ASUSTek Computer (ASUS) firewalls compromised with the so-called Cyclops Blink malware, which the Cybersecurity and Infrastructure Security Agency (CISA) first warned about on Feb. 23. In an FBI-led operation, officials removed Cyclops Blink malware from the compromised firewalls that gave Sandworm potential access to systems within the firewall operators' networks.

WatchGuard and ASUS both issued detection and guidance for their firewall customers on Feb. 23, but most of the thousands of devices on the botnet were still infected as of March.

In addition to removing the malware from the devices, the FBI also shut the remote management ports Sandworm had set up for accessing the devices. That stopped the Sandworm team from reaching the devices, but WatchGuard and ASUS device owners still must execute the detection and remediation steps provided by the two vendors to ensure Sandworm can't still abuse the devices, the DoJ said.

"If you believe you have a compromised device, please contact your local FBI Field Office for assistance. The FBI continues to conduct a thorough and methodical investigation into this cyber incident," the DoJ stated in its press advisory on the operation.

Cyclops Blink replaced a previous Sandworm botnet that ran on VPNFilter, which the DoJ sinkholed in May 2018.