The FBI has remotely accessed and disinfected devices located in the United States running a powerful new strain of Russian state botnet malware, federal authorities said Wednesday. These authorities added that the Kremlin used the malware to stealthily hack into adversaries.
The infected devices consisted mainly of firewall appliances from WatchGuard and, to a lesser extent, network devices from Asus. Both manufacturers recently published advisories providing recommendations for hardening or disinfecting devices infected with the botnet, known as Cyclops Blink. This is the latest botnet malware from the Russian company Sandworm, which is among the most elite and destructive state-sponsored hacking teams in the world.
Take back control
Cyclops Blink was revealed in February in a notice issued jointly by the UK’s National Cyber Security Center (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). . WatchGuard said at the time that the malware infected around 1% of the network devices it manufactured.
Cyclops Blink replaced another malware designed by Sandworm, known as VPNFilter, which researchers found in 2018 infecting 500,000 US-based routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. The FBI quickly seized a server that Sandworm was using to infect devices with VPNFilter. Once this was completed, the office asked the public to restart their devices. With that, the botnet was taken down.
Cyclops Blink was Sandworm’s attempt to regain persistent control of network devices, and the malware almost worked. In a court affidavit Unsealed Wednesday, federal prosecutors wrote:
As with VPNFilter, Sandworm actors have deployed Cyclops Blink to network devices around the world in what appears to be an indiscriminate way; i.e., the infection by Sandworm actors of a particular device appears to have been motivated by that device’s vulnerability to malware, rather than a concerted effort to target that particular device or its owner for other reasons. Sandworm actors did this by exploiting software vulnerabilities in various network devices, primarily WatchGuard firewall appliances. In particular, WatchGuard devices are vulnerable to an exploit that allows unauthorized remote access to the management panels of these devices.
The botnet persisted even after February 23. That’s when WatchGuard, in coordination with the FBI, issued instructions to restore disinfected devices to a clean state and configure devices to prevent unrestricted access to management interfaces. WatchGuard also patched a vulnerability identified as CVE-2022-23176, which opened the authentication bypass hole when servers were configured to allow unrestricted management access from external IP addresses. Despite the CVE issued this year, WatchGuard said wednesdaythe vulnerability was fully patched in May 2021.
Slippery slopes and the law of unintended consequences
However, following the February advisory, the number of devices in the Cyclops Blink botnet only decreased by 39%. In response, the FBI went even further than it did with VPNFilter in 2018. In a covert takedown operation cloaked by a federal warrant, agents remotely accessed infected WatchGuard devices connected to 13 addresses US based IPs. From there, agents:
- Confirmation of the presence of Cyclops Blink malware
- Record of the serial number used by Cyclops Blink to track its bots
- Copied a list of other devices also infected with Cyclops Blink
- Disinfect the machines
- Internet management ports closed to prevent Sandworm from gaining remote access
This isn’t the first time the FBI has remotely accessed an infected device to remove a threat, but it’s an early example. Many security professionals have raised concerns that such movements could cause damage if such actions accidentally disrupt a critical process. Privacy advocates have also decried the exposure such actions can have on individuals’ information.
Jake Williams, a former NSA hacker and now executive director of Cyber Threat Intelligence at security firm SCYTHE, expressed similar concerns about the case. He said the specific actions taken by the FBI, however, left him feeling more comfortable. In a message, he writes:
I think it’s still risky for LE [law enforcement] modify anything on a server that they do not control. However, in this case, I don’t think there was a significant risk, so the benefits clearly outweighed the risks. Many will cite slippery slope arguments as reasons why this particular action was inappropriate, but I think that is wrong. The fact that the FBI coordinated with a private company (WatchGuard) in this action is particularly significant.
The FBI affidavit says that last September, agents interviewed representatives of a company operating an infected device on its network. The company authorized officers to take a forensic image of the machine and “prospectively observe network traffic associated with the firewall appliance.”