The Federal Bureau of Investigation has disclosed it carried out an operation in March to mass-remove malware from thousands of compromised routers that formed a massive botnet controlled by Russian intelligence.
The operation was authorized by courts in California and Pennsylvania, allowing the FBI to copy and remove the so-called Cyclops Blink malware from infected Asus and WatchGuard routers across the U.S., severing the devices from the servers that remotely control and send instructions to the wider botnet.
The Justice Department announced the March operation on Wednesday, describing it as “successful,” but warned that device owners should still review the initial February 23 advisory to secure their compromised devices and prevent re-infection.
The Justice Department said that since the news first emerged about the rising threat of Cyclops Blink in February, thousands of compromised devices have been secured, but justified the court-ordered operation because the “majority” of infected devices were still compromised just weeks later in mid-March.
Cyclops Blink is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security researchers in 2018 and later targeted by a U.S. government operation to disrupt its command and control servers. Both Cyclops Blink and VPNFilter are attributed to Sandworm, a group of hackers working for Russia’s GRU, the country’s military intelligence unit.
U.S. authorities did not speculate on the goal of the Cyclops Blink botnet, but security researchers say the botnet is capable of collecting information and conducting espionage, launching distributed denial-of-service attacks that overload websites and servers with junk traffic, as well as destructive attacks that render the devices inoperable and causing system and network disruptions.
Sandworm is particularly known for launching disruptive hacks over the years, including knocking the Ukrainian power grid offline, using malware to try to blow up a Saudi petrochemical plant, and more recently deploying a destructive wiper targeting the Viasat satellite network over Ukraine and Europe.
John Hultquist, vice president of intelligence analysis at Mandiant, said in response to the FBI’s operation: “Sandworm is the premier Russian cyber attack capability and one of the actors we have been most concerned about in light of the invasion. We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the West in retribution for the pressure being placed on Russia.”
The operation is one of only a handful of times where federal authorities have actively accessed victims’ infected devices, often by using the very same vulnerabilities used to hack them originally, in order to remove the malware and rendering it ineffective. Federal authorities have justified the action before when faced with mass-hacking events but where victims fail to patch their systems.
Last April, the FBI launched the first-of-its kind operation to copy and remove a backdoor left behind by Chinese spies, who had mass-hacked thousands of vulnerable Exchange servers in order to steal contact lists and email inboxes.
Viasat cyberattack blamed on Russian wiper malware
FBI launches operation to remove backdoors from hacked Microsoft Exchange servers
UK says Russia’s GRU was behind a spate of chaotic cyber attacks between 2015 and 2017