The Federal Bureau of Investigation has disclosed it carried out an operation in March to mass-remove malware from thousands of compromised routers that formed a massive botnet controlled by Russian intelligence.
The operation was authorized by courts in California and Pennsylvania, allowing the FBI to copy and remove the so-called Cyclops Blink malware from infected Asus and WatchGuard routers across the U.S., severing the devices from the servers that remotely control and send instructions to the wider botnet.
The Justice Department announced the March operation on Wednesday, describing it as “successful,” but warned that device owners should still take immediate action to prevent reinfection.
The Justice Department said that since the news first emerged about the rising threat of Cyclops Blink in February, thousands of compromised devices have been secured, but justified the court-ordered operation because the “majority” of infected devices were still compromised just weeks later in mid-March.
Cyclops Blink is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security researchers in 2018 and later targeted by a U.S. government operation to disrupt its command and control servers. Both Cyclops Blink and VPNFilter are attributed to Sandworm, a group of hackers working for Russia’s GRU, the country’s military intelligence unit.
U.S. authorities did not speculate on the goal of the Cyclops Blink botnet, but security researchers say the botnet is capable of collecting information and conducting espionage, launching distributed denial-of-service attacks that overload websites and servers with junk traffic, as well as destructive attacks that render the devices inoperable and causing system and network disruptions.
Sandworm is particularly known for launching disruptive hacks over the years, including knocking the Ukrainian power grid offline, using malware to try to blow up a Saudi petrochemical plant, and more recently deploying a destructive wiper targeting the Viasat satellite network over Ukraine and Europe.
The FBI said it has contacted affected device owners, and via their internet providers where victims’ contact information isn’t publicly available, to notify victims of the FBI’s operation. The Justice Department said device owners should review the initial February 23 advisory to secure their compromised devices and prevent re-infection.
The operation is one of only a handful of times where federal authorities have actively accessed victims’ infected devices, often by using the very same vulnerabilities used to hack them originally, in order to remove the malware and rendering it ineffective. Federal authorities have justified the action before when faced with mass-hacking events but where victims fail to patch their systems.
Last April, the FBI launched the first-of-its kind operation to copy and remove a backdoor left behind by Chinese spies, who had mass-hacked thousands of vulnerable Exchange servers in order to steal contact lists and email inboxes.
Read more:
