View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

FBI takedown of Cyclops Blink botnet suggests aggressive new stance

The FBI used aggressive new tactics to take down the Russia-backed botnet Cyclops Blink.

By Claudia Glover

The US Department of Justice yesterday announced that it has disrupted a botnet operated by a group linked to Russia’s GRU intelligence agency. The FBI neutralised the botnet, known as Cyclops Blink, by cutting off its command and control servers and removing malware from network devices in use by businesses. This aggressive method of combating botnets could be indicative of a coordinated push against Russian cybercrime following the invasion of Ukraine, experts have told Tech Monitor.

The FBI removed malware from thousands of infected network devices that were in use by businesses. (Image by Anadolu Agency / Getty Images)

In order to take down the Cyclops Blink botnet, the FBI secured a court-authorised search warrant granting the authority to access and wipe its command and control servers.

It also removed malware from thousands of network devices that were under the botnet’s control, including WatchGuard firewall appliances and ASUS routers, and closed off their connection to the command and control servers. (Watchguard and ASUS have both published security guidance on Cyclops Blink.)

“We removed malware from devices used by thousands of mostly small businesses for network security all over the world,” said FBI director Christopher Wray at a press conference yesterday. “And then we shut the door the Russians had used to get into them.”

Sandworm, the APT group operating the botnet, had used these devices to extend the botnet’s reach, the DoJ said. “These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks,” it explained in a statement.

Sandworm is alleged to be a ‘cyber military’ unit of Russia’s GRU intelligence agency. In 2020, the US Department of Justice charged six alleged GRU members with cybercriminal activity linked to Sandworm, including the NotPetya malware that targeted Ukrainian institutions during the 2014 conflict.

A new aggressive stance in cyberspace

The techniques employed by the FBI in the takedown of Cyclops Blink are relatively new, explains Jon Andrews, VP of EMEA at security company Gurucul. “Usually the mitigation technique is to flow the traffic somewhere else so the infrastructure isn’t crippled by a DDoS attack,” he says. “In this case, [the FBI] essentially cut the botnet off its source so it can’t function, essentially cutting its legs from underneath it.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

“This is a really interesting mitigation technique,” Andrews adds. “It’s not something that I’ve seen as widely used.”

The announcement may have been timed to send a message to the Russian government, which is understood to be using cyberattacks as part of its assault on Ukraine, Andrews suggests. “They’re announcing the fact that they can completely equalize this sort of threat at a time when there is talk of cyberattacks being ramped up.”

The tactic suggests the FBI has been granted new authority to tackle cybersecurity threats aggressively, says Greg Austin, programme head of cyber, space and future conflict at the International Institute for Strategic Studies. “It certainly looks like it’s breaking new ground for the FBI,” he says. “It’s likely they’ve been given an authority and clear approval to do this.”

This is indicative of the US’ heightened cybersecurity concerns following Russia’s invasion of Ukraine, Austin explains. “We’re not operating at the tempo or the level of security concern we had before the Ukraine invasion,” continues Austin. “It’s very much heightened. And in the same way that the Americans have been pouring military assistance into Ukraine, they’ve been pouring cybersecurity assistance into Ukraine.

“We can expect that the US is acting unilaterally in cyberspace at a much more robust level against Russia than before the 24th of February,” concludes Austin.

Read more: Dark web marketplace Hydra has been shut down. What will take its place?

Topics in this article : , , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.