U.S. officials have revealed a previously undisclosed law enforcement operation against “Sandworm,” the powerful Russian hacking team known for its dexterous and destructive capabilities.
The operation, which took place in March, saw the FBI secure court authorization to hack and disrupt “Cyclops Blink,” a large botnet of thousands of malware-infected network devices allegedly operated by the Russian hackers.
During a press conference Wednesday morning, Justice Department and FBI officials explained that they had recently secured legal authorization from courts in California and Pennsylvania to hack command and control servers used by Sandworm to operate the malicious network. The hacking of the C2 servers removed the malware that had infected the machines, effectively severing the botnet operators from their bot herds and disabling the malicious network at its source.
While the devices that were previously controlled by the C2s, i.e., the “bots,” are still infected by Sandworm’s malware, they can no longer be controlled by the network’s operators, officials said.
“This operation is an example of the FBI’s commitment to combatting cyber threats through our unique authorities, capabilities, and coordination with our partners,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division during the media appearance. “As the lead domestic law enforcement and intelligence agency, we will continue pursuing cyber actors that threaten the national security and public safety of the American people, our private sector partners and our international partners.”
The menacing entity at the centre of this operation, Sandworm, is thought to be one of the Russian government’s most fearsome and talented hacking groups. Threat researchers believe it’s operated by the General Main Intelligence Directorate of the General Staff of the Russian Armed Forces, or GRU — one of Russia’s top intelligence agencies. In the past, it has been blamed for numerous large, destructive hacks — including a cyberattack on Ukraine’s power grid in 2015 that temporarily led to widespread outages.
“Cyclops Blink,” the modular malware deployed by Sandworm, is a malicious Linux ELF executable that officials say has been used to infect thousands of network hardware devices scattered throughout the world. Most recently, Sandworm pivoted to using “Blink” to infect products from WatchGuard Technologies and ASUSTek Computer (ASUS) firewalls. Such devices are used for network security, primarily in home office environments and by small to mid-size businesses. In February, law enforcement officials in the U.S. and Europe warned of Sandworm’s new campaign to infect devices using the “Blink” malware, noting that it was mostly targeted at WatchGuard devices.
When reached for comment, WatchGuard told Gizmodo that after hearing of the infections it had worked quickly to release “detection and remediation tools to protect its partners and customers” and that the “Cyclops” infections had ultimately affected “less than 1% of WatchGuard appliances.”
Botnets’ malicious networks are commonly used to conduct cyberattacks and aid in malicious criminal activity. However, U.S. officials say they were able to disrupt “Blink” before it could be effectively “weaponised.”
During Wednesday’s press conference, Attorney General Merrick Garland explained that the takedown of “Cyclops Blink” had been part of a broader push by U.S. agencies to stamp out Russian criminal activity — and to punish Russia for its recent military invasion of Ukraine.
“The Russian government has recently used similar infrastructure to attack Ukrainian targets. Fortunately, we were able to disrupt this botnet before it could be used,” said Garland. “Thanks to our close work with international partners, we were able to detect the infection of thousands of network hardware devices. We were then able to disable the GRU’s control over those devices before the botnet could be weaponised.”
Garland also noted America’s role in Tuesday’s takedown of the “Russia-affiliated” darknet marketplace Hydra, which was initially announced by German federal police. Garland added that charges had been filed against a “Russian national” who is believed to be the administrator of the “market’s technical infrastructure.”