The FBI and a contingent of U.S. agencies and cybersecurity professionals have removed malware from vulnerable internet-connected firewall devices to remove the Russian-implanted botnet Sandworm and disable the command and control infrastructure on thousands of underlying victim devices.
Via a court order, the FBI “copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as ‘bots,’ the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control,” the Justice Department said in a press release.
Sandworm has previously been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as the GRU.
The action comes at a critical time as it relates to nation-state hacking and Russia, with U.S. agencies issuing warnings about possible attacks against U.S. networks in the wake of the Ukraine crisis.
Here’s what happened
According to the DOJ, U.S. agencies and UK counterparts issued an advisory on Feb. 23 identifying the Cyclops Blink malware, which targets networking devices from WatchGuard Technologies and ASUS, which are typically located on the perimeter of a victim’s computer network and give botnets the ability to spread to all computers within the network.
That same day, WatchGuard released detection and remediation tools for users of those devices, urging them to remove any malware and patch the devices to prevent exploitations of any vulnerabilities. ASUS also released its own guidance to help compromised users mitigate the Cyclops Blink malware threat.
“The public and private sector efforts were effective, resulting in the successful remediation of thousands of compromised devices,” the DOJ says. “However, by mid-March, a majority of the originally compromised devices remained infected.”
After a court authorization on March 18, the FBI successfully copied and removed the malware from all remaining identified C2 devices and closed the external management ports that Sandworm was using to access those devices, per WatchGuard’s recommendations. Those efforts were largely successful in preventing Sandworm from accessing and controlling those devices, but some devices may remain vulnerable.
What is Sandworm?
In remarks, FBI Director Christopher Wray said the malware was removed from the devices which are primarily used by small businesses for network security. The WatchGuard devices in question were the Firebox line of products that are typically deployed in home office and small-to-medium-sized businesses.
Wray called Sandworm a specific unit within the GRU known in the FBI and other agencies as the Sandworm Team. According to Wray, Sandworm strung the devices together to use their computing power to obfuscate who was behind the botnet attack and launch malware or conduct DDOS attacks like the GRU has done against Ukraine.
Wray also gave a brief history lesson of the Sandworm team, including:
- Disruption of the Ukrainian electric grid in 2015
- Attacks against the Winter Olympics and Paralympics in 2018
- Disruptive attacks against Georgia in 2019
- NotPetYa attacks in 2017, causing more than $10 billion in damages in Europe and the U.S.
What did the FBI access?
According to the DOJ, the operation leveraged “direct communication with the Sandworm malware on the identified C2 devices” and did not search for or collect other information from the victim networks other than the C2 devices’ serial numbers through an automated script.
“Further, the operation did not involve any FBI communications with bot devices,” the department says.
Before WatchGuard’s Feb. 23 advisory, the FBI had been trying to notify owners of infected WatchGuard devices in the U.S. and abroad, including by contacting victims’ ISP providers and asking them to notify affected customers, the DOJ says, adding that agencies notified U.S.-based organizations that the FBI copied and removed the malware from their devices.
Are all WatchGuard and ASUS devices now safe?
Not necessarily, according to Wray and the DOJ. Agencies have been working with WatchGuard to analyze the malware and develop tools and remediation techniques over the last few weeks, and Sandworm is no longer able to control the devices on the botnet network.
However, any devices that acted as bots could still be vulnerable in the future if organizations don’t take steps to mitigate any compromise and patch their devices. WatchGuard has issued detailed instructions on how to do that, as has ASUS.
“The department strongly encourages network defenders and device owners to review the Feb. 23 advisory and WatchGuard and ASUS releases,” the DOJ says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply