The US Department of Justice yesterday announced that it has disrupted a botnet operated by a group linked to Russia’s GRU intelligence agency. The FBI neutralised the botnet, known as Cyclops Blink, by cutting off its command and control servers and removing malware from network devices in use by businesses. This aggressive method of combating botnets could be indicative of a coordinated push against Russian cybercrime following the invasion of Ukraine, experts have told Tech Monitor.
How did the FBI take out the Cyclops Blink botnet?
In order to take down the Cyclops Blink botnet, the FBI secured a court-authorised search warrant granting the authority to access and wipe its command and control servers.
It also removed malware from thousands of network devices that were under the botnet’s control, including WatchGuard firewall appliances and ASUS routers, and closed off their connection to the command and control servers. (Watchguard and ASUS have both published security guidance on Cyclops Blink.)
“We removed malware from devices used by thousands of mostly small businesses for network security all over the world,” said FBI director Christopher Wray at a press conference yesterday. “And then we shut the door the Russians had used to get into them.”
Sandworm, the APT group operating the botnet, had used these devices to extend the botnet’s reach, the DoJ said. “These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” it explained in a statement.
Sandworm is alleged to be a ‘cyber military’ unit of Russia’s GRU intelligence agency. In 2020, the US Department of Justice charged six alleged GRU members with cybercriminal activity linked to Sandworm, including the NotPetya malware that targeted Ukrainian institutions during the 2014 conflict.
A new aggressive stance in cyberspace
The techniques employed by the FBI in the takedown of Cyclops Blink are relatively new, explains Jon Andrews, VP of EMEA at security company Gurucul. “Usually the mitigation technique is to flow the traffic somewhere else so the infrastructure isn’t crippled by a DDoS attack,” he says. “In this case, [the FBI] essentially cut the botnet off its source so it can’t function, essentially cutting its legs from underneath it.
“This is a really interesting mitigation technique,” Andrews adds. “It’s not something that I’ve seen as widely used.”
The announcement may have been timed to send a message to the Russian government, which is understood to be using cyberattacks as part of its assault on Ukraine, Andrews suggests. “They’re announcing the fact that they can completely equalize this sort of threat at a time when there is talk of cyberattacks being ramped up.”
The tactic suggests the FBI has been granted new authority to tackle cybersecurity threats aggressively, says Greg Austin, programme head of cyber, space and future conflict at the International Institute for Strategic Studies. “It certainly looks like it’s breaking new ground for the FBI,” he says. “It’s likely they’ve been given an authority and clear approval to do this.”
This is indicative of the US’ heightened cybersecurity concerns following Russia’s invasion of Ukraine, Austin explains. “We’re not operating at the tempo or the level of security concern we had before the Ukraine invasion,” continues Austin. “It’s very much heightened. And in the same way that the Americans have been pouring military assistance into Ukraine, they’ve been pouring cybersecurity assistance into Ukraine.
“We can expect that the US is acting unilaterally in cyberspace at a much more robust level against Russia than before the 24th of February,” concludes Austin.