The UK and US governments have identified a new form of malware developed by Russian hackers that targets network devices.
Dubbed Cyclops Blink, the malware is linked to the Sandworm hacking group. Sandworm, also known as APT 28 and Fancy Bear, has been linked to various hacks over the past six to seven years. Sandworm is believed to be led by Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces.
Cyclops Blink is described by the UK’s National Cyber Security Center as a replacement framework for the VPNFilter malware first discovered in 2018. Sandworm, like VPNFilter, exploits network devices, primarily small office and home office routers and network attached storage devices.
Although only now detailed, Cyclops Blink is believed to have been active since June 2019. As with VPNFilter, the deployment of Cyclops Blink seems indiscriminate and widespread.
So far, Sandworm has mainly deployed Cyclops Blink on WatchGuard devices. WatchGuard Technologies Inc. is a network security vendor that provides products designed to protect computer networks from outside threats.
The malware itself is described as sophisticated and modular with the functionality to send device information back to a server. Cyclops Blink may allow downloading and execution of files. The modular nature of the malware also allows Sandworm to implement additional functionality as needed.
After the exploitation, Cyclops Blink organizes the victim’s devices into clusters and each deployment has a list of IP addresses and command and control ports that it uses. Sandworm and compromised device communications are protected by Transport Layer Security using individually generated keys and certificates. Sandworm manages Cyclops Link by connecting the command and control layer through the Tor network.
The agencies warn that Cyclops Blink persists across reboots and throughout legitimate firmware updates.
Working with the UK’s NCSC, the US Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, and the Federal Bureau of Investigation, WatchGuard has provided tools and guidance to enable the detection and the removal of Cyclops Blink. Details on how to do this are here.
Additionally, the warning states that if a device is identified as infected with Cyclops Blink, it should be assumed that all passwords present have been compromised and therefore need to be replaced.