US authorities have dismantled a large global botnet operated by Russia’s GRU military intelligence agency.
Attorney General Merrick Garland announced the disruption on Wednesday, saying the operation prevented the botnet from being weaponized.
“Fortunately, we were able to disrupt this botnet before it could be used. Thanks to our close work with international partners, we detected infections on thousands of network hardware devices,” Garland said.
“We then disabled the GRU’s control over those devices before the botnet could be turned into an active threat.”
In recent months, Russia has been tied to multiple cyberattacks. On the day Russia invaded Ukraine, attackers targeted satellite operator Viasat using malware linked to Russian actors, resulting in an outage that affected thousands of customers across Ukraine and Europe.
That Viasat incident also disrupted communication with 5,800 Enercon wind turbines in Germany, leaving them unable to report telemetry or accept remote control. Security experts warned that similar attacks against more critical infrastructure could prompt serious escalation. NATO has made clear that a cyberattack on a member state could trigger a collective alliance response.
Western nations have been preparing for the possibility of large-scale retaliatory cyberoperations from Russia as a response to international support for Ukraine.
New sanctions announced this week by the US, UK and EU—meant to respond to documented war crimes such as rape, torture and the killing of civilians—have raised concerns that Russia might resort to cyberattacks in retaliation.
“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
“By working closely with WatchGuard and other government partners in the United States and United Kingdom to analyse the malware and develop detection and remediation tools, we are demonstrating the strength of public-private collaboration in protecting cybersecurity. The department will continue confronting and disrupting nation-state hacking in all its forms.”
The operation targeted a two-tiered global botnet that controlled thousands of infected network devices. Security researchers have attributed this threat actor, known as Sandworm, to the GRU.
The malware, dubbed “Cyclops Blink,” was publicly identified by the UK’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency on 23 February 2022. Cyclops Blink appears to be the successor to another Sandworm-linked botnet known as VPNFilter.
“Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and exposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around the world,” said US Attorney Cindy K. Chung for the Western District of Pennsylvania.
“These actions are criminal and threaten the national security of the United States and its allies. My office remains committed to working with partners in the National Security Division, the FBI, foreign law enforcement, and the private sector to defend and maintain our nation’s cybersecurity.”
A major joint response from public and private organizations was launched to neutralize the botnet. That effort included releasing tools to remove the malware and providing firmware updates for affected devices. Despite those measures, a significant number of compromised devices remained infected through mid-March.
After a court authorization on 18 March 2022, the operation successfully copied and removed the malware from all identified devices. As an added precaution, the external management ports used by Sandworm to access the devices were closed.
“The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computers and launch attacks that threaten Americans’ safety, security, and confidence in our digitally connected world,” said Mike Nordwall of the FBI’s Pittsburgh Field Office.
“The FBI is steadfast in its commitment to combat and disrupt Russia’s efforts to gain a foothold inside US and allied networks.”
Disrupting this botnet will hinder Russia’s ability to mount large-scale cyberattacks that could significantly impact Western economies. Nonetheless, officials urge continued vigilance given the elevated risk environment for cybersecurity incidents.
(Image: Attorney General Merrick Garland by US Department of Justice)
Related: DDoS attacks grew larger and more complex in 2021.
Interested in learning more about cybersecurity from industry leaders? Look into events such as Cyber Security & Cloud Expo, which hosts conferences in multiple cities throughout the year.
Discover other upcoming enterprise technology events and webinars presented by TechForge.