Cyclops Blink Botnet Malware

The U.S. Department of Justice (DoJ) announced that it neutralized Cyclops Blink, a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

"The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underlying botnet," the DoJ said in a statement Wednesday.

In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing contact and preventing the hacking group from using the infected devices to commandeer the botnet.


The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S. described the botnet as a replacement framework for the VPNFilter malware that was exposed and sinkholed in May 2018.

Cyclops Blink, which is believed to have emerged as early as June 2019, primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group leveraging a previously identified security vulnerability in WatchGuard's Firebox firmware as an initial access vector.

A follow-up analysis by cybersecurity firm Trend Micro last month suggested the possibility that the botnet is an attempt to "build an infrastructure for further attacks on high-value targets."


"These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DoJ added.

Details of the security flaw were never made public beyond the fact that the company addressed the issue as part of software updates issued in May 2021, with WatchGuard noting to the contrary that the vulnerabilities were internally detected and that they were not "actively found in the wild."

The company has since revised its Cyclops Blink FAQs to spell out that the vulnerability in question is CVE-2022-23176 (CVSS score: 8.8), which could "allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator" and gain unauthorized remote access.

ASUS, for its part, has released firmware patches as of April 1, 2022, to block the threat, recommending users to update to the latest version.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.