U.S., U.K. Agencies Warn of New Russian Botnet Built from Hacked Firewall Devices
Samsung reportedly shipped 100 million smartphones containing botched encryption
February 28, 2022WECC Hosting Spring Reliability & Security Workshop
March 1, 2022
Summary:
The United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S. have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST).
Additional Discussion:
The malicious cyber activity below has previously been attributed to Sandworm.
- The BlackEnergy disruption of Ukrainian electricity in 2015 Industroyer in 2016
- NotPetya in 2017
- Attacks against the Winter Olympics and Paralympics in 2018
- A series of disruptive attacks against Georgia in 2019
Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices.
This advisory summarizes the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC malware analysis report on Cyclops Blink is also available.
It also provides mitigation measures to help organizations defend against malware.
Associated Files:
Link
