FBI-Led Operation Disrupts Russian GRU Botnet

"Cyclops Blink" operation disabled firewalls behind the Sandworm hacking team's network of infected victim devices.

Dark Reading Staff, Dark Reading

April 6, 2022

1 Min Read
FBI logo on building
Kristina Blokhin via Adobe Stock

The FBI in March targeted and disabled the command and control communications of a botnet controlled by the infamous Russian General Staff Main Intelligence Directorate (GRU) hacking team Sandworm, the US Department of Justice (DoJ) announced today.

The botnet used WatchGuard Technologies and ASUSTek Computer (ASUS) firewalls compromised with the so-called Cyclops Blink malware, which the Cybersecurity and Infrastructure Security Agency (CISA) first warned about on Feb. 23. In an FBI-led operation, officials removed Cyclops Blink malware from the compromised firewalls that gave Sandworm potential access to systems within the firewall operators' networks.

WatchGuard and ASUS both issued detection and guidance for their firewall customers on Feb. 23, but most of the thousands of devices on the botnet were still infected as of March.

In addition to removing the malware from the devices, the FBI also shut the remote management ports Sandworm had set up for accessing the devices. That stopped the Sandworm team from reaching the devices, but WatchGuard and ASUS device owners still must execute the detection and remediation steps provided by the two vendors to ensure Sandworm can't still abuse the devices, the DoJ said.

"If you believe you have a compromised device, please contact your local FBI Field Office for assistance. The FBI continues to conduct a thorough and methodical investigation into this cyber incident," the DoJ stated in its press advisory on the operation.

Cyclops Blink replaced a previous Sandworm botnet that ran on VPNFilter, which the DoJ sinkholed in May 2018.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights